[WEB SECURITY] Max size of a password

James Manico jim at manico.net
Sun May 22 14:24:31 EDT 2011

Then again, hashing and salting is not enough for secure password storage.

1) Use a strong/modern hash
2) Use a cryptographically strong salt
2a) Isolate that salt from the actual hash
3) Iterate the hashing of the pass and salt 1000 times (as of y2k,
doubling that iteration value every three years when you re-hash to
slow down re-construction of the custom hash table if the salt is know
by the attacker)
4) For %#^* sakes, stop depending on password as the only factor for
authentication. Shifting to 2-factor strategies decreases the need for
strong password policy or storage mechanisms.

Jim Manico

On May 22, 2011, at 7:46 PM, Claudio Telmon <claudio at telmon.org> wrote:

> On 05/22/2011 12:33 AM, Gautam wrote:
>> Now my delima is
>> SHA256(*AAA*)  = some 256 bit hash
>> now
>> SHA256(*AAABB*) = is also 256 bit hash
>> so with this reasoning will it make sense if i say no limit or just a
>> reasonable limit of 14 character since the result is always going to be
>> 128bit text be it 8 characters or 14 characters.
> A good hash function can provide you an entropy which is limited by the
> length of the output, but the entropy available in the input domain is
> also a limit. 14 characters as input from a user are not random bits and
> won't provide 128 bit of entropy for the result. If users are permitted
> (and suggested) to choose long passphrases, they may end up feeding the
> function with enough entropy. If they are limited to 14 characters, they
> will select passwords that will be shorter that 14 characters and are
> not random, so they will always feed less that 128 bit of entropy to the
> function, and the output will also have less that 128 bits of entropy,
> even if it is 128 bit long.
> ciao
> - Claudio
> --
> Claudio Telmon
> claudio at telmon.org
> http://www.telmon.org
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list