Why does PayPal limit password length to 20 characters?
Passwords are sort of an anti-feature of the browsing experience. They’re designed to deter: a necessary wall. Frequent account users have developed their own coping mechanisms for this obstacle whenever they see it. Many simply use the same, weak password everywhere, a maladaptive behavior. If one password is compromised, all accounts are compromised. Many forget their password and reset it each time, quickly logging into their Gmail to click on a link.
If passwords are a necessary wall, we should examine it carefully. The worst thing about passwords are that they’re often either
- too short to be effective
- too complicated to remember
There’s such easy fixes to these issues, like using a password manager, or my preference, using a mnemonic device. Password advocacy isn’t the point of
Longer, sentence-length mnemonics tend to be easier to remember than shorter, symbol-laden passwords — and they’re more secure. I may have horrible short-term memory, but I never forget my sentence-length passwords, unique for my every account.
That’s why websites push you toward these longer, more secure, more memorable passwords—because they care about your security.
But not PayPal
When I signed up for PayPal, I started typing in a corresponding mnemonic that would make sense. After all, it’s critical that my PayPal account stays secure. I gave them my bank account, credit cards, even my SSN. I put in a sentence like there are 51 stubby potatoes perform e-commerce, without any spaces. It was a 40-character password with digits and special symbols. It was the Fort Knox of passwords.
Here’s what I was greeted with:
Use 8–20 characters.
The design choice
I can make a few guesses as to why PayPal made this design choice. It was possibly to prevent people from making passwords too long to remember. Maybe they wanted to prevent people from using excessively long, random key strings like ]J2^x=HDJn”Xfq6W(N-w]z.?[Aca)w. Maybe they’re just being a little negligent. Or maybe it was because of storage limitations; perhaps it just isn’t scalable to host millions of accounts with longer passwords.
It’s likely a combination of those three reasons—and these reasons illustrate how PayPal envisions their end-users. The prototypical PayPal end-user doesn’t have very long passwords, and therefore probably isn’t super tech-literate, and (in PayPal’s opinion) would benefit from corralling passwords to 8–20 characters.
The 8–20 limit doesn’t stop the pre-existing maladaptive behaviors that Internet users at large have developed: using identical, weak passwords everywhere.
What’s the fix?
There is a bigger phenomenon that needs to happen. People need to change the way they make and use passwords. Passwords are in a unique position of the user experience, because they’re something the user designs for themself—and not everyone is a good designer. I can wager that your first password was shit. No, really, shit is a pretty common password.
Everyone should be taught in grade school how to make their own passwords learnable, memorable, and usable. The onus is on us here. We should be leveraging our existing mental set to make creative passwords. But until password proprietors like PayPal let us make our passwords memorable, complex mnemonic sentences, they’ll be instigating us to make passwords that are non-learnable, non-memorable, and non-usable.
