[WEB SECURITY] Max size of a password

albino albinowax at eml.cc
Sun May 22 07:07:26 EDT 2011

I know most of you know this but I'm not sure about the OP. SHA256(AAA)
is more likely to be guessed than SHA256(AAABB) even though the
resulting hashes are the same length. When an attacker attempts to crack
hashes they don't guess the hash directly; they guess the password then
generate the hash to check whether it was correct or not. Guessing
SHA-256 hashes directly is unfeasible with current technology. So
placing an upper limit of 14 will decrease the security of some users.


-----Original Message-----
From: Gautam <itsecanalyst at gmail.com>
To: MustLive <mustlive at websecurity.com.ua>
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Max size of a password

Thanks everyone for writing, MustLive i have expressed my opinion on
mimimum limit and No maximum limit.

However while i wrote this post to this forum I was thinking in backend
about how this impacts hashing results and the length.

As we all know storing just pain-text passwords would be the biggest
blunder that anyone could do, so I recommend doing at least Salted-SHA

Now my delima is 

SHA256(AAA)  = some 256 bit hash


SHA256(AAABB) = is also 256 bit hash

so with this reasoning will it make sense if i say no limit or just a
reasonable limit of 14 character since the result is always going to be
128bit text be it 8 characters or 14 characters.

Let me know your views.


More information about the websecurity mailing list