[WEB SECURITY] Max size of a password
itsecanalyst at gmail.com
Sat May 21 18:33:43 EDT 2011
Thanks everyone for writing, MustLive i have expressed my opinion on mimimum
limit and No maximum limit.
However while i wrote this post to this forum I was thinking in backend
about how this impacts hashing results and the length.
As we all know storing just pain-text passwords would be the biggest blunder
that anyone could do, so I recommend doing at least Salted-SHA versions.
Now my delima is
SHA256(*AAA*) = some 256 bit hash
SHA256(*AAABB*) = is also 256 bit hash
so with this reasoning will it make sense if i say no limit or just a
reasonable limit of 14 character since the result is always going to be
128bit text be it 8 characters or 14 characters.
Let me know your views.
On Sat, May 21, 2011 at 1:52 PM, MustLive <mustlive at websecurity.com.ua>wrote:
> Hello Gautam!
> My recommendations concerning minimum and maximum password's length are the
> - minimum - 8 characters,
> - maximum - no limits (but you can add limits depending on hardware
> I haven't heard about industry's password best practices, but from 2005 in
> my own security manual I was recommending above-mentioned 8 characters
> minimum length (and with time it's needed to revise this limit).
> in case anyone got it to perform offline attack.
> Not only offline, but online attacks are possible. And in case if Brute
> Force vulnerability will be in your system and nothing will be made to
> prevent such attacks, then only strong passwords will be the last barrier
> before attackers.
> So take into account my recommended minimum length of password. Because too
> short passwords can be not only easily picked up at offline attack, but
> also at online attack.
> Best wishes & regards,
> Administrator of Websecurity web site
> ----- Original Message ----- From: Gautam
> To: websecurity at webappsec.org
> Cc: MustLive
> Sent: Friday, May 20, 2011 6:23 PM
> Subject: Max size of a password
> I was recently reviewing a internal document and noticed that the the
> requirement for password mentioned that it should be minimum 7 characters
> and maximum 14 characters.
> While i was ok with the minimum, I was not ok with maximum 14 since I
> believe that we should not put a restriction on the maximum and user can
> stretch it as per their comfort. I suggested that you can have it as 256 if
> at all you want to make any limits. I know people use automated tools for
> pwd generation and management these days and larger (complex) passwords
> would always add more work factor in case anyone got it to perform offline
> I want to know from you experts,
> - Since whatever goes will be hashed to SHA-256 (Salted) will my
> above point make any difference if the original pwd is 7 characters or 14
> - I also wanted to know any pointers on documents that industry
> refers for password best practices. Working with industry baseline is easy
> for me.
> Appreciate your help
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity