[WEB SECURITY] Max size of a password

Gautam itsecanalyst at gmail.com
Fri May 20 21:16:02 EDT 2011


This is a web application so I think 128 should be the limit if at all there
is a need.

Thanks for the reply and pointers.



On Fri, May 20, 2011 at 3:58 PM, <harry at woodward-clarke.com> wrote:

> G'day,
>
> As implied by a couple of other posts, there were systems with 14
> character limit to passwords. Typically early WindowsNT (3 and 4) systems.
> With the kernel re-write for V5 (win2k and greater) this limitation was
> removed - well, increased to 127 chars, and may possibly be even larger in
> the V6 kernel (2k8/vista and greater).
>
> I recall hitting this 'limit' integrating OpenVMS systems and WinNT
> systems. VMS allowed long, _really_ long passwords, but we had to restrict
> them to 14 characters for interoperability with NT. This did not sit well
> with the paranoid among us :)
>
> Ah... memories...
>
> So, the long-and-short is, if you _still_have some of the legacy systems
> (either physical, virtual or emulated - e.g. Samba 2 as PDC) then this
> restriction will have to stay, but if you're in the 21st Century, this
> restriction can be dropped - or rather, bumped up to "127 characters".
>
> hth,
>
> .h
>
> On Fri, 20 May 2011 08:23:21 -0700, Gautam <itsecanalyst at gmail.com> wrote:
> > Hi,
> >
> > I was recently reviewing a internal document and noticed that the the
> > requirement for password mentioned that it should be minimum 7
> characters
> > and maximum 14 characters.
> >
> > While i was ok with the minimum, I was not ok with maximum 14 since I
> > believe that we should not put a restriction on the maximum and user can
> > stretch it as per their comfort. I suggested that you can have it as 256
> if
> > at all you want to make any  limits. I know people use automated tools
> for
> > pwd generation and management these days and larger (complex) passwords
> > would always add more work factor in case anyone got it to perform
> offline
> > attack.
> >
> > I want to know from you experts,
> >          -  Since whatever goes will be hashed to SHA-256 (Salted) will
> my
> > above point make any difference if the original pwd is 7 characters or
> 14
> > or
> > larger.
> >          -  I also wanted to know any pointers on documents that
> industry
> > refers for password best practices. Working with industry baseline is
> easy
> > for me.
> >
> > Appreciate your help
> >
> > Thanks,
> > Gautam.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110520/d67e343b/attachment-0003.html>


More information about the websecurity mailing list