[WEB SECURITY] Max size of a password

Gautam itsecanalyst at gmail.com
Fri May 20 11:23:21 EDT 2011


Hi,

I was recently reviewing a internal document and noticed that the the
requirement for password mentioned that it should be minimum 7 characters
and maximum 14 characters.

While i was ok with the minimum, I was not ok with maximum 14 since I
believe that we should not put a restriction on the maximum and user can
stretch it as per their comfort. I suggested that you can have it as 256 if
at all you want to make any  limits. I know people use automated tools for
pwd generation and management these days and larger (complex) passwords
would always add more work factor in case anyone got it to perform offline
attack.

I want to know from you experts,
         -  Since whatever goes will be hashed to SHA-256 (Salted) will my
above point make any difference if the original pwd is 7 characters or 14 or
larger.
         -  I also wanted to know any pointers on documents that industry
refers for password best practices. Working with industry baseline is easy
for me.

Appreciate your help

Thanks,
Gautam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110520/482a6adf/attachment-0003.html>


More information about the websecurity mailing list