[WEB SECURITY] Max size of a password

MustLive mustlive at websecurity.com.ua
Sat May 21 16:52:02 EDT 2011

Hello Gautam!

My recommendations concerning minimum and maximum password's length are the

- minimum - 8 characters,
- maximum - no limits (but you can add limits depending on hardware

I haven't heard about industry's password best practices, but from 2005 in
my own security manual I was recommending above-mentioned 8 characters
minimum length (and with time it's needed to revise this limit).

> in case anyone got it to perform offline attack.

Not only offline, but online attacks are possible. And in case if Brute
Force vulnerability will be in your system and nothing will be made to
prevent such attacks, then only strong passwords will be the last barrier
before attackers.

So take into account my recommended minimum length of password. Because too
short passwords can be not only easily picked up at offline attack, but
also at online attack.

Best wishes & regards,
Administrator of Websecurity web site

----- Original Message ----- 
From: Gautam
To: websecurity at webappsec.org
Cc: MustLive
Sent: Friday, May 20, 2011 6:23 PM
Subject: Max size of a password


I was recently reviewing a internal document and noticed that the the
requirement for password mentioned that it should be minimum 7 characters
and maximum 14 characters.

While i was ok with the minimum, I was not ok with maximum 14 since I
believe that we should not put a restriction on the maximum and user can
stretch it as per their comfort. I suggested that you can have it as 256 if
at all you want to make any  limits. I know people use automated tools for
pwd generation and management these days and larger (complex) passwords
would always add more work factor in case anyone got it to perform offline

I want to know from you experts,
         -  Since whatever goes will be hashed to SHA-256 (Salted) will my
above point make any difference if the original pwd is 7 characters or 14 or
         -  I also wanted to know any pointers on documents that industry
refers for password best practices. Working with industry baseline is easy
for me.

Appreciate your help


More information about the websecurity mailing list