[WEB SECURITY] Max size of a password

nilesh kumar nileshkumar83 at yahoo.co.in
Mon May 23 08:54:45 EDT 2011

Exactly Gautam,

If the website is imposing a length restriction on your passwords 
entered, it's possible that they are storing it in clear text. May be in
 backend the password field is VARCHAR with maximum length defined. On 
the other hand, if they are hashing the password before storing it, they
 need not worry about the length of the password entered by the end user
 as the hashed password will be of 'fixed' maximum size, no matter how 
long/short the user enters his password. How does that sound?

One nice post here:http://off-the-wall-security.blogspot.com/2011/03/signs-of-broken-authentication-part-1.html

Thanks & Regards,

Nilesh Kumar,
Engineer-Security Analyst
Mobile- +91-9019076487

--- On Sun, 22/5/11, Gautam <itsecanalyst at gmail.com> wrote:

From: Gautam <itsecanalyst at gmail.com>
Subject: Re: [WEB SECURITY] Max size of a password
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: websecurity at webappsec.org
Date: Sunday, 22 May, 2011, 4:03 AM

Thanks everyone for writing, MustLive i have expressed my opinion on mimimum limit and No maximum limit.

However while i wrote this post to this forum I was thinking in backend about how this impacts hashing results and the length.

As we all know storing just pain-text passwords would be the biggest blunder that anyone could do, so I recommend doing at least Salted-SHA versions.

Now my delima is 

SHA256(AAA)  = some 256 bit hash


SHA256(AAABB) = is also 256 bit hash

so with this reasoning will it make sense if i say no limit or just a reasonable limit of 14 character since the result is always going to be 128bit text be it 8 characters or 14 characters.

Let me know your views.


On Sat, May 21, 2011 at 1:52 PM, MustLive <mustlive at websecurity.com.ua> wrote:

Hello Gautam!

My recommendations concerning minimum and maximum password's length are the


- minimum - 8 characters,

- maximum - no limits (but you can add limits depending on hardware


I haven't heard about industry's password best practices, but from 2005 in

my own security manual I was recommending above-mentioned 8 characters

minimum length (and with time it's needed to revise this limit).

in case anyone got it to perform offline attack.

Not only offline, but online attacks are possible. And in case if Brute

Force vulnerability will be in your system and nothing will be made to

prevent such attacks, then only strong passwords will be the last barrier

before attackers.

So take into account my recommended minimum length of password. Because too

short passwords can be not only easily picked up at offline attack, but

also at online attack.

Best wishes & regards,


Administrator of Websecurity web site


----- Original Message ----- From: Gautam

To: websecurity at webappsec.org

Cc: MustLive

Sent: Friday, May 20, 2011 6:23 PM

Subject: Max size of a password


I was recently reviewing a internal document and noticed that the the

requirement for password mentioned that it should be minimum 7 characters

and maximum 14 characters.

While i was ok with the minimum, I was not ok with maximum 14 since I

believe that we should not put a restriction on the maximum and user can

stretch it as per their comfort. I suggested that you can have it as 256 if

at all you want to make any  limits. I know people use automated tools for

pwd generation and management these days and larger (complex) passwords

would always add more work factor in case anyone got it to perform offline


I want to know from you experts,

        -  Since whatever goes will be hashed to SHA-256 (Salted) will my

above point make any difference if the original pwd is 7 characters or 14 or


        -  I also wanted to know any pointers on documents that industry

refers for password best practices. Working with industry baseline is easy

for me.

Appreciate your help



-----Inline Attachment Follows-----

The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110523/be49c5af/attachment-0003.html>

More information about the websecurity mailing list