[WEB SECURITY] Max size of a password

harry at woodward-clarke.com harry at woodward-clarke.com
Fri May 20 18:58:15 EDT 2011


G'day,

As implied by a couple of other posts, there were systems with 14
character limit to passwords. Typically early WindowsNT (3 and 4) systems.
With the kernel re-write for V5 (win2k and greater) this limitation was
removed - well, increased to 127 chars, and may possibly be even larger in
the V6 kernel (2k8/vista and greater).

I recall hitting this 'limit' integrating OpenVMS systems and WinNT
systems. VMS allowed long, _really_ long passwords, but we had to restrict
them to 14 characters for interoperability with NT. This did not sit well
with the paranoid among us :)

Ah... memories...

So, the long-and-short is, if you _still_have some of the legacy systems
(either physical, virtual or emulated - e.g. Samba 2 as PDC) then this
restriction will have to stay, but if you're in the 21st Century, this
restriction can be dropped - or rather, bumped up to "127 characters".

hth,

.h

On Fri, 20 May 2011 08:23:21 -0700, Gautam <itsecanalyst at gmail.com> wrote:
> Hi,
> 
> I was recently reviewing a internal document and noticed that the the
> requirement for password mentioned that it should be minimum 7
characters
> and maximum 14 characters.
> 
> While i was ok with the minimum, I was not ok with maximum 14 since I
> believe that we should not put a restriction on the maximum and user can
> stretch it as per their comfort. I suggested that you can have it as 256
if
> at all you want to make any  limits. I know people use automated tools
for
> pwd generation and management these days and larger (complex) passwords
> would always add more work factor in case anyone got it to perform
offline
> attack.
> 
> I want to know from you experts,
>          -  Since whatever goes will be hashed to SHA-256 (Salted) will
my
> above point make any difference if the original pwd is 7 characters or
14
> or
> larger.
>          -  I also wanted to know any pointers on documents that
industry
> refers for password best practices. Working with industry baseline is
easy
> for me.
> 
> Appreciate your help
> 
> Thanks,
> Gautam.




More information about the websecurity mailing list