[WEB SECURITY] Max size of a password

Arian J. Evans arian.evans at anachronic.com
Fri May 20 15:13:44 EDT 2011

I would not specify max password unless you find you have a need to.

The only two possible reasons I can come up with that might be
legitimate reasons for Max(value) definition are:

+ legacy system compatibility
+ early studies showed users are more likely to write down passwords
over a certain length and keep them on monitor/under keyboard

Regarding legacy system compatibility: once people started gluing
together modern OS/2 and Banyan Vines systems, err wait, Windows with
mainframes and web apps and all that, they would write some darn
kludgy code to provide SSO-like features. So it would be possible to
set a max size password on the more modern system (or unified web UI)
larger than the legacy systems would support. If error handling were
suboptimal, you'd wind up a with a truncated password on certain
systems and you wouldn't know what it was truncated too
so.....basically the user just couldn't log it to certain systems or
use parts of the unified app. So you'd set the max at the max of the
most limited legacy system. Ah, the memories of glue code developers.

Finally - using Occam's Razor you could just assume it is an artifact
of the disease known as Policy Wonk Myopia. This is a common
psychological condition that affects those who spend too high of a
percentage of their time writing information security and governance
policies. You can spot these folks pretty easily, they usually wind up
speaking in a monotone like Charles Cresson Wood.

Arian Evans
Perpetuating Pragmatic Practicable Policies

On Fri, May 20, 2011 at 8:23 AM, Gautam <itsecanalyst at gmail.com> wrote:
> Hi,
> I was recently reviewing a internal document and noticed that the the requirement for password mentioned that it should be minimum 7 characters and maximum 14 characters.
> While i was ok with the minimum, I was not ok with maximum 14 since I believe that we should not put a restriction on the maximum and user can stretch it as per their comfort. I suggested that you can have it as 256 if at all you want to make any  limits. I know people use automated tools for pwd generation and management these days and larger (complex) passwords would always add more work factor in case anyone got it to perform offline attack.
> I want to know from you experts,
>          -  Since whatever goes will be hashed to SHA-256 (Salted) will my above point make any difference if the original pwd is 7 characters or 14 or larger.
>          -  I also wanted to know any pointers on documents that industry refers for password best practices. Working with industry baseline is easy for me.
> Appreciate your help
> Thanks,
> Gautam.
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list