[WEB SECURITY] Max size of a password

Gautam itsecanalyst at gmail.com
Fri May 20 11:23:21 EDT 2011


I was recently reviewing a internal document and noticed that the the
requirement for password mentioned that it should be minimum 7 characters
and maximum 14 characters.

While i was ok with the minimum, I was not ok with maximum 14 since I
believe that we should not put a restriction on the maximum and user can
stretch it as per their comfort. I suggested that you can have it as 256 if
at all you want to make any  limits. I know people use automated tools for
pwd generation and management these days and larger (complex) passwords
would always add more work factor in case anyone got it to perform offline

I want to know from you experts,
         -  Since whatever goes will be hashed to SHA-256 (Salted) will my
above point make any difference if the original pwd is 7 characters or 14 or
         -  I also wanted to know any pointers on documents that industry
refers for password best practices. Working with industry baseline is easy
for me.

Appreciate your help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110520/482a6adf/attachment-0003.html>

More information about the websecurity mailing list