[WEB SECURITY] Max size of a password

Rohit Pitke rohirp92 at yahoo.com
Sat May 21 06:36:04 EDT 2011


As others have pointed out, setting max size is content dependent as if you have 
set a threshold for max-length, then you need to impose that. Also, certain 
legacy system might trouble you in this regard. 


So it is much context-specific. Along with length, one needs to design "quality" 
of password too. That is , what characters are allowed, special characters, 
compulsion of alpha-numeric etc. That would come with some stipulated minimum 
length, say 7-8 and above criteria to make it "strong". In any case, strong 
password expiration policy, lockout enabling and secure policy to deliver 
"forget password" request needs to be analyzed also. 


Best,
Rohit 





________________________________
From: Gautam <itsecanalyst at gmail.com>
To: harry at woodward-clarke.com
Cc: websecurity at webappsec.org
Sent: Sat, May 21, 2011 6:46:02 AM
Subject: Re: [WEB SECURITY] Max size of a password

This is a web application so I think 128 should be the limit if at all there is 
a need.

Thanks for the reply and pointers.




On Fri, May 20, 2011 at 3:58 PM, <harry at woodward-clarke.com> wrote:

G'day,
>
>As implied by a couple of other posts, there were systems with 14
>character limit to passwords. Typically early WindowsNT (3 and 4) systems.
>With the kernel re-write for V5 (win2k and greater) this limitation was
>removed - well, increased to 127 chars, and may possibly be even larger in
>the V6 kernel (2k8/vista and greater).
>
>I recall hitting this 'limit' integrating OpenVMS systems and WinNT
>systems. VMS allowed long, _really_ long passwords, but we had to restrict
>them to 14 characters for interoperability with NT. This did not sit well
>with the paranoid among us :)
>
>Ah... memories...
>
>So, the long-and-short is, if you _still_have some of the legacy systems
>(either physical, virtual or emulated - e.g. Samba 2 as PDC) then this
>restriction will have to stay, but if you're in the 21st Century, this
>restriction can be dropped - or rather, bumped up to "127 characters".
>
>hth,
>
>.h
>
>
>On Fri, 20 May 2011 08:23:21 -0700, Gautam <itsecanalyst at gmail.com> wrote:
>> Hi,
>>
>> I was recently reviewing a internal document and noticed that the the
>> requirement for password mentioned that it should be minimum 7
>characters
>> and maximum 14 characters.
>>
>> While i was ok with the minimum, I was not ok with maximum 14 since I
>> believe that we should not put a restriction on the maximum and user can
>> stretch it as per their comfort. I suggested that you can have it as 256
>if
>> at all you want to make any  limits. I know people use automated tools
>for
>> pwd generation and management these days and larger (complex) passwords
>> would always add more work factor in case anyone got it to perform
>offline
>> attack.
>>
>> I want to know from you experts,
>>          -  Since whatever goes will be hashed to SHA-256 (Salted) will
>my
>> above point make any difference if the original pwd is 7 characters or
>14
>> or
>> larger.
>>          -  I also wanted to know any pointers on documents that
>industry
>> refers for password best practices. Working with industry baseline is
>easy
>> for me.
>>
>> Appreciate your help
>>
>> Thanks,
>> Gautam.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110521/03dbf3d7/attachment-0003.html>


More information about the websecurity mailing list