[WEB SECURITY] Max size of a password

Rohit Pitke rohirp92 at yahoo.com
Sat May 21 06:36:04 EDT 2011

As others have pointed out, setting max size is content dependent as if you have 
set a threshold for max-length, then you need to impose that. Also, certain 
legacy system might trouble you in this regard. 

So it is much context-specific. Along with length, one needs to design "quality" 
of password too. That is , what characters are allowed, special characters, 
compulsion of alpha-numeric etc. That would come with some stipulated minimum 
length, say 7-8 and above criteria to make it "strong". In any case, strong 
password expiration policy, lockout enabling and secure policy to deliver 
"forget password" request needs to be analyzed also. 


From: Gautam <itsecanalyst at gmail.com>
To: harry at woodward-clarke.com
Cc: websecurity at webappsec.org
Sent: Sat, May 21, 2011 6:46:02 AM
Subject: Re: [WEB SECURITY] Max size of a password

This is a web application so I think 128 should be the limit if at all there is 
a need.

Thanks for the reply and pointers.

On Fri, May 20, 2011 at 3:58 PM, <harry at woodward-clarke.com> wrote:

>As implied by a couple of other posts, there were systems with 14
>character limit to passwords. Typically early WindowsNT (3 and 4) systems.
>With the kernel re-write for V5 (win2k and greater) this limitation was
>removed - well, increased to 127 chars, and may possibly be even larger in
>the V6 kernel (2k8/vista and greater).
>I recall hitting this 'limit' integrating OpenVMS systems and WinNT
>systems. VMS allowed long, _really_ long passwords, but we had to restrict
>them to 14 characters for interoperability with NT. This did not sit well
>with the paranoid among us :)
>Ah... memories...
>So, the long-and-short is, if you _still_have some of the legacy systems
>(either physical, virtual or emulated - e.g. Samba 2 as PDC) then this
>restriction will have to stay, but if you're in the 21st Century, this
>restriction can be dropped - or rather, bumped up to "127 characters".
>On Fri, 20 May 2011 08:23:21 -0700, Gautam <itsecanalyst at gmail.com> wrote:
>> Hi,
>> I was recently reviewing a internal document and noticed that the the
>> requirement for password mentioned that it should be minimum 7
>> and maximum 14 characters.
>> While i was ok with the minimum, I was not ok with maximum 14 since I
>> believe that we should not put a restriction on the maximum and user can
>> stretch it as per their comfort. I suggested that you can have it as 256
>> at all you want to make any  limits. I know people use automated tools
>> pwd generation and management these days and larger (complex) passwords
>> would always add more work factor in case anyone got it to perform
>> attack.
>> I want to know from you experts,
>>          -  Since whatever goes will be hashed to SHA-256 (Salted) will
>> above point make any difference if the original pwd is 7 characters or
>> or
>> larger.
>>          -  I also wanted to know any pointers on documents that
>> refers for password best practices. Working with industry baseline is
>> for me.
>> Appreciate your help
>> Thanks,
>> Gautam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110521/03dbf3d7/attachment-0003.html>

More information about the websecurity mailing list