[WEB SECURITY] Max size of a password
nileshkumar83 at yahoo.co.in
Mon May 23 08:54:45 EDT 2011
If the website is imposing a length restriction on your passwords
entered, it's possible that they are storing it in clear text. May be in
backend the password field is VARCHAR with maximum length defined. On
the other hand, if they are hashing the password before storing it, they
need not worry about the length of the password entered by the end user
as the hashed password will be of 'fixed' maximum size, no matter how
long/short the user enters his password. How does that sound?
One nice post here:http://off-the-wall-security.blogspot.com/2011/03/signs-of-broken-authentication-part-1.html
Thanks & Regards,
--- On Sun, 22/5/11, Gautam <itsecanalyst at gmail.com> wrote:
From: Gautam <itsecanalyst at gmail.com>
Subject: Re: [WEB SECURITY] Max size of a password
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: websecurity at webappsec.org
Date: Sunday, 22 May, 2011, 4:03 AM
Thanks everyone for writing, MustLive i have expressed my opinion on mimimum limit and No maximum limit.
However while i wrote this post to this forum I was thinking in backend about how this impacts hashing results and the length.
As we all know storing just pain-text passwords would be the biggest blunder that anyone could do, so I recommend doing at least Salted-SHA versions.
Now my delima is
SHA256(AAA) = some 256 bit hash
SHA256(AAABB) = is also 256 bit hash
so with this reasoning will it make sense if i say no limit or just a reasonable limit of 14 character since the result is always going to be 128bit text be it 8 characters or 14 characters.
Let me know your views.
On Sat, May 21, 2011 at 1:52 PM, MustLive <mustlive at websecurity.com.ua> wrote:
My recommendations concerning minimum and maximum password's length are the
- minimum - 8 characters,
- maximum - no limits (but you can add limits depending on hardware
I haven't heard about industry's password best practices, but from 2005 in
my own security manual I was recommending above-mentioned 8 characters
minimum length (and with time it's needed to revise this limit).
in case anyone got it to perform offline attack.
Not only offline, but online attacks are possible. And in case if Brute
Force vulnerability will be in your system and nothing will be made to
prevent such attacks, then only strong passwords will be the last barrier
So take into account my recommended minimum length of password. Because too
short passwords can be not only easily picked up at offline attack, but
also at online attack.
Best wishes & regards,
Administrator of Websecurity web site
----- Original Message ----- From: Gautam
To: websecurity at webappsec.org
Sent: Friday, May 20, 2011 6:23 PM
Subject: Max size of a password
I was recently reviewing a internal document and noticed that the the
requirement for password mentioned that it should be minimum 7 characters
and maximum 14 characters.
While i was ok with the minimum, I was not ok with maximum 14 since I
believe that we should not put a restriction on the maximum and user can
stretch it as per their comfort. I suggested that you can have it as 256 if
at all you want to make any limits. I know people use automated tools for
pwd generation and management these days and larger (complex) passwords
would always add more work factor in case anyone got it to perform offline
I want to know from you experts,
- Since whatever goes will be hashed to SHA-256 (Salted) will my
above point make any difference if the original pwd is 7 characters or 14 or
- I also wanted to know any pointers on documents that industry
refers for password best practices. Working with industry baseline is easy
Appreciate your help
-----Inline Attachment Follows-----
The Web Security Mailing List
WebSecurity RSS Feed
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity