[WEB SECURITY] Max size of a password

Gautam gautam.edu at gmail.com
Fri May 20 18:37:43 EDT 2011


Thank You for the information. I agree to your comments.

On Fri, May 20, 2011 at 11:14 AM, Paul McMillan <paul at mcmillan.ws> wrote:

> Those requirements tend (in my experience) to have survived via
> copy-pasta from ancient systems which did store the password in
> plaintext, and thus had real length limits based in the database. Each
> new iteration of the system has someone who looks at the requirement
> and says "hmmm... I guess there's probably a good security reason for
> it to be that way, I'm not going to stick my neck out and change it".
> At this point, these things should allow long characters, with a
> practical length limit dictated by other limitations (maybe your
> server doesn't accept POST requests over 4k, or maybe you just don't
> want to hash something that large).
>
> -Paul
>
> On Fri, May 20, 2011 at 8:23 AM, Gautam <itsecanalyst at gmail.com> wrote:
> > Hi,
> >
> > I was recently reviewing a internal document and noticed that the the
> > requirement for password mentioned that it should be minimum 7 characters
> > and maximum 14 characters.
> >
> > While i was ok with the minimum, I was not ok with maximum 14 since I
> > believe that we should not put a restriction on the maximum and user can
> > stretch it as per their comfort. I suggested that you can have it as 256
> if
> > at all you want to make any  limits. I know people use automated tools
> for
> > pwd generation and management these days and larger (complex) passwords
> > would always add more work factor in case anyone got it to perform
> offline
> > attack.
> >
> > I want to know from you experts,
> >          -  Since whatever goes will be hashed to SHA-256 (Salted) will
> my
> > above point make any difference if the original pwd is 7 characters or 14
> or
> > larger.
> >          -  I also wanted to know any pointers on documents that industry
> > refers for password best practices. Working with industry baseline is
> easy
> > for me.
> >
> > Appreciate your help
> >
> > Thanks,
> > Gautam.
> >
> >
> >
> >
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> >
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
> >
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



-- 

Regards,

Gautam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110520/5dad8835/attachment-0003.html>


More information about the websecurity mailing list