[WEB SECURITY] Max size of a password

Gautam itsecanalyst at gmail.com
Sat May 21 18:33:43 EDT 2011

Thanks everyone for writing, MustLive i have expressed my opinion on mimimum
limit and No maximum limit.

However while i wrote this post to this forum I was thinking in backend
about how this impacts hashing results and the length.

As we all know storing just pain-text passwords would be the biggest blunder
that anyone could do, so I recommend doing at least Salted-SHA versions.

Now my delima is

SHA256(*AAA*)  = some 256 bit hash


SHA256(*AAABB*) = is also 256 bit hash

so with this reasoning will it make sense if i say no limit or just a
reasonable limit of 14 character since the result is always going to be
128bit text be it 8 characters or 14 characters.

Let me know your views.


On Sat, May 21, 2011 at 1:52 PM, MustLive <mustlive at websecurity.com.ua>wrote:

> Hello Gautam!
> My recommendations concerning minimum and maximum password's length are the
> next:
> - minimum - 8 characters,
> - maximum - no limits (but you can add limits depending on hardware
> restrictions).
> I haven't heard about industry's password best practices, but from 2005 in
> my own security manual I was recommending above-mentioned 8 characters
> minimum length (and with time it's needed to revise this limit).
>  in case anyone got it to perform offline attack.
> Not only offline, but online attacks are possible. And in case if Brute
> Force vulnerability will be in your system and nothing will be made to
> prevent such attacks, then only strong passwords will be the last barrier
> before attackers.
> So take into account my recommended minimum length of password. Because too
> short passwords can be not only easily picked up at offline attack, but
> also at online attack.
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> ----- Original Message ----- From: Gautam
> To: websecurity at webappsec.org
> Cc: MustLive
> Sent: Friday, May 20, 2011 6:23 PM
> Subject: Max size of a password
> Hi,
> I was recently reviewing a internal document and noticed that the the
> requirement for password mentioned that it should be minimum 7 characters
> and maximum 14 characters.
> While i was ok with the minimum, I was not ok with maximum 14 since I
> believe that we should not put a restriction on the maximum and user can
> stretch it as per their comfort. I suggested that you can have it as 256 if
> at all you want to make any  limits. I know people use automated tools for
> pwd generation and management these days and larger (complex) passwords
> would always add more work factor in case anyone got it to perform offline
> attack.
> I want to know from you experts,
>        -  Since whatever goes will be hashed to SHA-256 (Salted) will my
> above point make any difference if the original pwd is 7 characters or 14
> or
> larger.
>        -  I also wanted to know any pointers on documents that industry
> refers for password best practices. Working with industry baseline is easy
> for me.
> Appreciate your help
> Thanks,
> Gautam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110521/b118d420/attachment-0003.html>

More information about the websecurity mailing list