tags:

views:

1161

answers:

10
+23  Q: 

Why restrict the length of a password?

I've just signed up to a site to purchase some goods, and when I tried to enter my (reasonably secure) password I was informed it was too long, and that I should enter a password between 5 & 10 characters! What is the point in that? Who makes decisions like this? Surely the ideal password would be a really long and complicated one? Why do people insist on trying to restrict what types of passwords you can use?

Have you had to implement a login to a website? Was the login for secure purposes (e.g. purchasing goods). What (if any) restrictions did you place on the user's password? What were your reasons for the decision?

+70  A: 

Restricting the size of a password is an attempt to save storage space. It pretty much indicates that your password is being stored plainly in their database, so they want to restrict its size. Otherwise it's just a restriction because the implementors don't know any better. Either way it's a bad sign.

You might want to contact the admins of the site and ask them about it. They should be storing hashes, not passwords, which are always the same size no matter how big the password is. There really should be no limit to the size of password you enter, nor the domain of characters you're permitted to input.

Welbog  2009-03-31 18:29:19
It's a great indicator of ancient software. When your bank wants len(password) <= 6, and case doesn't matter, it's a _very_ bad sign.
sysrqb  2009-03-31 18:32:36
Phew, hard answer, but probably true. and that's the REAL WTF.
furtelwart  2009-03-31 18:40:44
One caveat: the size of the uploaded data stream is a limiting factor. You don't really want to handle an arbitrarily large value. Restricting to something really small like 8 or even 16 is overkill, though.
Joel Coehoorn  2009-03-31 18:44:39
@Joel: a valid point, but like you said there's no reason to restrict the password to something so small, especially something that will be overshadowed by the size of simple HTTP headers. A restriction to a few hundred or thousand characters wouldn't be unreasonable if this is a concern.
Welbog  2009-03-31 18:46:44
'There really should be no limit to the size of the password' should probably be corrected to read, 'there really should be no _upper_ limit to the size of the password'.
RobH  2009-06-12 19:49:42
I'll take a reasonable upper limit like 16 chars over an accidental no limit that works for some parts of an app but not others.
Michael Haren  2009-06-12 21:46:32
How on Earth is 16 characters reasonable? My usual passphrases are much longer than that. A "reasonable" limit is something between 1024 and 65536.
Welbog  2009-06-12 21:52:01
With regard to websites, I would be a sizable fortune that you are in the minority. The average password length for a regular website is probably less than 8 (assuming the minimum is less than 8).
Michael Haren  2009-06-13 13:10:44
So you're saying it's OK to limit the security of my password because the majority of users don't know anything about security?
Welbog  2009-06-13 15:39:10
"There really should be no limit to the size of password you enter" - not sure I agree with this, I would not want my server to compute the hash for a 3million character password that some helpful user sent in the request.
UpTheCreek  2009-11-02 10:49:36
@Sosh: I can respect that point of view, which is why I stated that a reasonable limit is something in the 2^10 to 2^16 range, which is several pages of text, but whose hash can be computed relatively quickly.
Welbog  2009-11-02 11:48:15
I basically agree. But... if you allow very very long passwords, users might be more likely to mis-remember them, lock themselves out of their own account, and consume more support resources. Still, a "long" passphrase is more likely to be remembered correctly than `-J]"Z)(2a=2
jhs  2009-12-06 11:22:52
If they care about security, they should not be saving anyone's password anyway, but make a salted hash. Those hashes are normally fixed-length, so it doesn't matter how long the passwords is.
dbkk  2010-02-04 04:54:44
A: 

The only possible reason to limit a password in that manner would be to simplify the database table, and that's a bad reason. Long, complicated passwords should be allowed!

Futhermore, the site should not be storing the password at all, but rather storing a crypto hash. Since the hash is a fixed size, that makes the database very simple and storage requirements small.

dwc  2009-03-31 18:29:56
+2  A: 

Some (poorly designed) websites have maximum password lengths for a simple reason: that's all the space they have in their database to store your password. There's a good chance they're not hashing it or processing it at all, meaning it's stored in plain text. Websites like that I use one use, throw-away passwords for every time. It's a poor design, and it's unfortunate that people still use it.

Robert P  2009-03-31 18:30:31
+2  A: 

It could be that the algorithm they use for encryption doesn't work well with large passwords or that they only have limited storage to store it. Both are very poor reasons, I know, but it's possible.

If I were to make password rules, it would only be things to protect users, like forcing them to use at least one special character and number or mixing lower and upper case.

mandaleeka  2009-03-31 18:31:20
+21  A: 

The most common reason for this is because the front-end intgrates with some old legacy system that does not handle more than a given number of characters.

krosenvold  2009-03-31 18:32:29
+1. Well, the most common *valid* reason... I'd guess the most common reason in reality is simple stupidity.
bobince  2009-03-31 18:38:58
@bobince: agreed.
Welbog  2009-03-31 18:40:10
And instead of doing the front end properly and working out how to transparently integrate with the back end, they just drag the problems forward into the new system?!
JeeBee  2009-03-31 18:47:47
@JeeBee The swamp of legacy systems in enterprises can be enough to make grown men weep, even a full team of them. I'm not advocating the solution, but what if that's the only way you manage to stay halfway consistent ?
krosenvold  2009-03-31 19:33:18
+3  A: 

Seems especially stupid, given that any half decent website does not store plaintext passwords in their database, they store a one way hash of that password (which will always be a set length depending on the algorithm used, for example sha1 is a 160 bit digest) and then rehash that password on login to make sure that the newly hashed password matches the stored one.

Other than for frontend design asthetics - I agree, it doesn't make any sense to enforce a maximum password length. Minimum length is entirely different though for obvious reasons.

Max  2009-03-31 18:33:44
A: 

Well, not to start whining but I think the same about usernames you can use. Sometimes your username can only be 4 to 8 characters. Who thinks of that stuff?

Why not just give someone the ability to enter his email address or whatever they like.

Wim Haanstra  2009-03-31 18:36:30
+2  A: 

A case-insensitive 10 character alphanumeric password has 839,299,365,868,340,224 possible permutations. It's going to take a few ice ages to brute force this assuming it can check 1 million per second. That's secure enough for me.

The "best" reason is probably so you can remember the password.

John Rasch  2009-03-31 18:36:53
http://www.lockdown.co.uk/?pg=combi
Alan  2009-03-31 18:51:45
@Alan - yes, I guess my example would fall under Class C, which with 10 characters (not even listed on those charts) would be roughly 26,000 years. This isn't the NSA we're talking about here... social engineering attacks, or simple keylogging would be way more effective
John Rasch  2009-03-31 18:56:33
People are still going to pick the easiest-to-remember passwords in the domain they have available to them. There aren't that many easy-to-remember passwords in 10 characters. Longer passwords, counterintuitively, can yield easier passwords when you take phrases into account, as Bill the Lizard said
Welbog  2009-03-31 18:59:00
@Welbog - that's not counter-intuitive at all, I wish more places would utilize pass phrases. The question here is really why there would be restrictions on length, and without emailing that specific company the best we can all do is guess
John Rasch  2009-03-31 19:13:22
@John: Class C, which is 1,000,000 passwords/second on a Pentium 100. Securing your data is the least of your worries if that is the type of machine you're using.
Alan  2009-03-31 21:12:30
@Alan - alright assume Class F (1 billion per second) that's still 26 years worst case. If my data is that important that I'm afraid it's going to be hacked by then, I'll probably change my password. The brute force speed is only a trivial aspect of the overall issue here
John Rasch  2009-03-31 21:43:16
@John: 26 years is far from a few ice ages. That's my only point. Yes there are more effective ways to attack an account (see my comment to the OP).
Alan  2009-03-31 23:10:19
+2  A: 

The length restriction is probably due to a storage space concern, but it might be a really bad anti-scripting measure. I'd be a lot more confident if my bank told me my password was too short, rather than too long. Whenever I'm told my password is too short, or "special" characters are not allowed I think, "Oh, they must not have found my password in their dictionary... facepalm."

Any characters should be allowed. Pass phrases should be encouraged, not discouraged. They're much easier to remember than cryptic passwords and much harder to crack since they won't be in a lookup table.

Bill the Lizard  2009-03-31 18:38:44
+1 for phrases. I love pass phrases. So easy to remember, and naturally contain non-alphanumeric characters. Just make sure they're not ridiculously obvious.
Welbog  2009-03-31 18:44:38
@Welbog: The system administrator at my old company was a known Trekkie (he had a Starfleet Academy bumper sticker) and he used the password "spock". Something tells me "Live Long and Prosper" would be only slightly more secure. :)
Bill the Lizard  2009-03-31 19:01:10
One system admin I knew used his fan pseudonym as a password, and it was written up on a poster right next to his desk. And he worked for an international policing agency. Ah, happy days </jcdenton> ;-)
Steve Jessop  2009-03-31 19:17:08
+1  A: 

It could be because they are storing your password as plain text and are trying to save space, but it might also be to try and stop people making their passwords really long and then forgetting them, which means that the company has to send an email with your password, which is a bit of a hassle.

mike_93  2009-03-31 19:42:15

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL