[WEB SECURITY] Max size of a password
gautam.edu at gmail.com
Fri May 20 18:37:43 EDT 2011
Thank You for the information. I agree to your comments.
On Fri, May 20, 2011 at 11:14 AM, Paul McMillan <paul at mcmillan.ws> wrote:
> Those requirements tend (in my experience) to have survived via
> copy-pasta from ancient systems which did store the password in
> plaintext, and thus had real length limits based in the database. Each
> new iteration of the system has someone who looks at the requirement
> and says "hmmm... I guess there's probably a good security reason for
> it to be that way, I'm not going to stick my neck out and change it".
> At this point, these things should allow long characters, with a
> practical length limit dictated by other limitations (maybe your
> server doesn't accept POST requests over 4k, or maybe you just don't
> want to hash something that large).
> On Fri, May 20, 2011 at 8:23 AM, Gautam <itsecanalyst at gmail.com> wrote:
> > Hi,
> > I was recently reviewing a internal document and noticed that the the
> > requirement for password mentioned that it should be minimum 7 characters
> > and maximum 14 characters.
> > While i was ok with the minimum, I was not ok with maximum 14 since I
> > believe that we should not put a restriction on the maximum and user can
> > stretch it as per their comfort. I suggested that you can have it as 256
> > at all you want to make any limits. I know people use automated tools
> > pwd generation and management these days and larger (complex) passwords
> > would always add more work factor in case anyone got it to perform
> > attack.
> > I want to know from you experts,
> > - Since whatever goes will be hashed to SHA-256 (Salted) will
> > above point make any difference if the original pwd is 7 characters or 14
> > larger.
> > - I also wanted to know any pointers on documents that industry
> > refers for password best practices. Working with industry baseline is
> > for me.
> > Appreciate your help
> > Thanks,
> > Gautam.
> > _______________________________________________
> > The Web Security Mailing List
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > WASC on Twitter
> > http://twitter.com/wascupdates
> > websecurity at lists.webappsec.org
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity