[WEB SECURITY] Max size of a password
itsecanalyst at gmail.com
Fri May 20 21:16:02 EDT 2011
This is a web application so I think 128 should be the limit if at all there
is a need.
Thanks for the reply and pointers.
On Fri, May 20, 2011 at 3:58 PM, <harry at woodward-clarke.com> wrote:
> As implied by a couple of other posts, there were systems with 14
> character limit to passwords. Typically early WindowsNT (3 and 4) systems.
> With the kernel re-write for V5 (win2k and greater) this limitation was
> removed - well, increased to 127 chars, and may possibly be even larger in
> the V6 kernel (2k8/vista and greater).
> I recall hitting this 'limit' integrating OpenVMS systems and WinNT
> systems. VMS allowed long, _really_ long passwords, but we had to restrict
> them to 14 characters for interoperability with NT. This did not sit well
> with the paranoid among us :)
> Ah... memories...
> So, the long-and-short is, if you _still_have some of the legacy systems
> (either physical, virtual or emulated - e.g. Samba 2 as PDC) then this
> restriction will have to stay, but if you're in the 21st Century, this
> restriction can be dropped - or rather, bumped up to "127 characters".
> On Fri, 20 May 2011 08:23:21 -0700, Gautam <itsecanalyst at gmail.com> wrote:
> > Hi,
> > I was recently reviewing a internal document and noticed that the the
> > requirement for password mentioned that it should be minimum 7
> > and maximum 14 characters.
> > While i was ok with the minimum, I was not ok with maximum 14 since I
> > believe that we should not put a restriction on the maximum and user can
> > stretch it as per their comfort. I suggested that you can have it as 256
> > at all you want to make any limits. I know people use automated tools
> > pwd generation and management these days and larger (complex) passwords
> > would always add more work factor in case anyone got it to perform
> > attack.
> > I want to know from you experts,
> > - Since whatever goes will be hashed to SHA-256 (Salted) will
> > above point make any difference if the original pwd is 7 characters or
> > or
> > larger.
> > - I also wanted to know any pointers on documents that
> > refers for password best practices. Working with industry baseline is
> > for me.
> > Appreciate your help
> > Thanks,
> > Gautam.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity