5

When using basic authentication, are there any limits on the length of:

  • the username,
  • the password,
  • the combined username and password

Are there any practical limits imposed by commonly used clients or client frameworks?

WW.
  • 23,793
  • 13
  • 94
  • 121
  • So this is purely a client-side question, meaning you control the server-side, including how big HTTP headers can be (see http://stackoverflow.com/questions/686217/maximum-on-http-header-values)? – Thilo Apr 16 '15 at 00:50
  • I'm going to be generating the basic auth credentials on our server, and want to make them work with as many clients as possible. – WW. Apr 16 '15 at 00:51
  • Is there a reason to go beyond, say, 30 characters each for username and password (which is not a problem for anything and should be secure enough)? – Thilo Apr 16 '15 at 00:54
  • I can have a guess at how long is long enough to be secure while being short enough to be compatible; but was hoping there is a definitive answer. – WW. Apr 16 '15 at 00:55

1 Answers1

6

HTTP basic authentication is specified in section 2 of RFC2617; which does not specify any explicit limit on the maximum size of either the challenge or the response.

So the answer is that there is no official maximum limit.

I don't know of any specific limits in various client or server-side HTTP implementations. If I was in your position, then I would approach this question like this:

1) On the server side, external factors will dictate the maximum userid and password size. You're going to authentication the userid and the password from somewhere. It's going to come from either a password file of some sorts, or some directory service or database, and that's going to dictate your maximum limits.

2) On the client side, I will reasonably assume that my prompts to the client for the login ID and the password will have a maximum limit of 255 characters, each; until someone complains to me.

Sam Varshavchik
  • 114,536
  • 5
  • 94
  • 148
  • That RFC has a curious line: "base 64 encoding of user-pass, except not limited to 76 char/line". Not sure why 76 characters is relevant. – WW. Apr 16 '15 at 00:57
  • 1
    @WW. Base64 is traditionally broken down into multiple lines of 76 characters each. Not needed here. Either way, the total encoded message can be longer. – Thilo Apr 16 '15 at 00:59