[WEB SECURITY] Max size of a password

Paul McMillan paul at mcmillan.ws
Fri May 20 15:14:37 EDT 2011

Those requirements tend (in my experience) to have survived via
copy-pasta from ancient systems which did store the password in
plaintext, and thus had real length limits based in the database. Each
new iteration of the system has someone who looks at the requirement
and says "hmmm... I guess there's probably a good security reason for
it to be that way, I'm not going to stick my neck out and change it".
At this point, these things should allow long characters, with a
practical length limit dictated by other limitations (maybe your
server doesn't accept POST requests over 4k, or maybe you just don't
want to hash something that large).


On Fri, May 20, 2011 at 8:23 AM, Gautam <itsecanalyst at gmail.com> wrote:
> Hi,
> I was recently reviewing a internal document and noticed that the the
> requirement for password mentioned that it should be minimum 7 characters
> and maximum 14 characters.
> While i was ok with the minimum, I was not ok with maximum 14 since I
> believe that we should not put a restriction on the maximum and user can
> stretch it as per their comfort. I suggested that you can have it as 256 if
> at all you want to make any  limits. I know people use automated tools for
> pwd generation and management these days and larger (complex) passwords
> would always add more work factor in case anyone got it to perform offline
> attack.
> I want to know from you experts,
>          -  Since whatever goes will be hashed to SHA-256 (Salted) will my
> above point make any difference if the original pwd is 7 characters or 14 or
> larger.
>          -  I also wanted to know any pointers on documents that industry
> refers for password best practices. Working with industry baseline is easy
> for me.
> Appreciate your help
> Thanks,
> Gautam.
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list