Password length has arbitrary and undocumented length limit
I went to change my password today and had my password manager generate a random 100 character password. Twitch said "That password is too easy to guess" and points me at a page that just says it needs to be "at least 8 characters long". I get the same error with length 90 and 80. Through trial and error, apparently 71 is the maximum usable length.
It's unclear why there's a maximum limit, so I'd recommend removing that. Otherwise, the error message should indicate what the actual problem is.

-
megaschara commented
Why is this bug still a thing almost a year later?!
-
PhantomHydraPH commented
Apparently, ASCII characters make the password be considered weak, regardless of complexity or length.
I tried 'ÿUÍê}§)?\uع¬ú4})Ì{i*X9úÔÆbP¥n³ÖôE¹Ì$:Ñ<àµX\ÎÑÀá"' and it said it was a weak password. -
carnage4u commented
I tried for 20 minutes to change my password and failed. I have over 30 different passwords that I use multiple variants for work/personal use. NOTHING I have tried would work with your password reset system.
Numbers, symbols, mix of capital/lower case letters. I may have to simply never use twitch again as I cannot change my password to anything remotely possibly to remember.
My feedback is simply. I hope the person that came up with your password requirements dies alone.
also thanks for giving me final push to watch streaming on all other platform options.
-
sonsofzeruiah commented
Currently, the requirements for a password is far too vague. I spent 15 minutes trying different passwords until one arbitrarily worked. Why is there no clear indication of what is required? Why say a password is weak but acceptable, just to reject it as soon as its submitted?
Please tell users what a password MUST possess to be counted. Be clear and direct, for example: "Your password must contain at least 8 characters, 1 number, and a space between letters" or what have you, because this is far too much of a guessing game. This is the only time I've ever encountered such an undefined system for passwords. Nearly every other log in website makes their requirements clear.
-
Musicita commented
Please provide clear feedback on what the minimum requirements for a password are instead of vague statements such as "too weak."
Without clear instructions, users are forced to try multiple variations of a password until they guess one that Twitch will accept; they must then remember which one they used, which can be difficult.
The FAQ page on how to create a strong password provides no assistance.
A line of text such as, "Passwords must be at least eight characters long, contain upper and lower case letters, and at least x number of symbols and numbers" would be immensely helpful.
I have no idea what the actual text would be since I have spent the past several minutes unsuccessfully trying to create a password that I will both remember and fits your unusually strict (yet vague) guidelines so I can reset my password.
-
Malisbad commented
It doesn't pass the front end validator, but they check the password strength anyways (on the BE for some reason) to power their indicator. That probably has insufficient guarding on the backend (any number of things), and returns a -1 score for password strength. That yields a second error that quickly overwrites the original length error, and it looks silly. The problem lies _mostly_ on their backend because it shows that their validators aren't aligned, and their strength function provides incorrect results. It could be a source of problems for them.
-
TvanDinter commented
While experimenting w/ different lengths, in the area showing the error message, I did see something flash up about "72 characters". It may be trying to tell me about a length limit but the text gets replaced immediately w/ the useless "too easy" message.
-
Stekeblad commented
The change password page does also incorrectly report that the password is too easy to guess if it contains forbidden characters. A character that works in my current password is not allowed in the new I am attempting