54

I've just signed up to a site to purchase some goods, and when I tried to enter my (reasonably secure) password I was informed it was too long, and that I should enter a password between 5 & 10 characters! What is the point in that? Who makes decisions like this? Surely the ideal password would be a really long and complicated one? Why do people insist on trying to restrict what types of passwords you can use?

Have you had to implement a login to a website? Was the login for secure purposes (e.g. purchasing goods). What (if any) restrictions did you place on the user's password? What were your reasons for the decision?

Mechanical snail
  • 29,755
  • 14
  • 88
  • 113
Mark Ingram
  • 71,849
  • 51
  • 176
  • 230
  • 2
    Long/complex passwords prevent bruteforce attacks, nothing more. Malware,Loggers,Phishing,Man-in-the-middle, and Social Engineering attacks can easily defeat the best password policies. – Alan Mar 31 '09 at 18:46
  • 1
    For the sake of users stumbling onto this question, a similar question was asked that has its own set of legitimate answers and can be found here: http://stackoverflow.com/questions/988504/is-there-any-reason-for-placing-upper-limits-on-passwords – Welbog Jun 12 '09 at 19:37
  • 4
    I use KeePass to generate and auto-fill all of my passwords (20 character alphanumeric + symbols). My bank is the ONLY place that restricted the size/characters of my password. Pretty sad, isn't it? – Travis Jun 30 '09 at 20:35
  • 1
    Well, not to start whining but I think the same about usernames you can use. Sometimes your username can only be 4 to 8 characters. Who thinks of that stuff? Why not just give someone the ability to enter his email address or whatever they like. – Wim Haanstra Mar 31 '09 at 18:36
  • @Travis Until I repeatedly sent scripted customer service complains to all visible emails associated with my bank, the password was limited to <= 8 characters. They shaped up after a month of annoyance/education. – recursion.ninja Aug 11 '13 at 20:01

8 Answers8

106

Restricting the size of a password is an attempt to save storage space. It pretty much indicates that your password is being stored plainly in their database, so they want to restrict its size. Otherwise it's just a restriction because the implementors don't know any better. Either way it's a bad sign.

You might want to contact the admins of the site and ask them about it. They should be storing hashes, not passwords, which are always the same size no matter how big the password is. There really should be no limit to the size of password you enter, nor the domain of characters you're permitted to input.

Welbog
  • 59,154
  • 9
  • 110
  • 123
  • 12
    It's a great indicator of ancient software. When your bank wants len(password) <= 6, and case doesn't matter, it's a _very_ bad sign. – rmmh Mar 31 '09 at 18:32
  • 1
    Phew, hard answer, but probably true. and that's the REAL WTF. – guerda Mar 31 '09 at 18:40
  • 1
    One caveat: the size of the uploaded data stream is a limiting factor. You don't really want to handle an arbitrarily large value. Restricting to something really small like 8 or even 16 is overkill, though. – Joel Coehoorn Mar 31 '09 at 18:44
  • @Joel: a valid point, but like you said there's no reason to restrict the password to something so small, especially something that will be overshadowed by the size of simple HTTP headers. A restriction to a few hundred or thousand characters wouldn't be unreasonable if this is a concern. – Welbog Mar 31 '09 at 18:46
  • 8
    'There really should be no limit to the size of the password' should probably be corrected to read, 'there really should be no _upper_ limit to the size of the password'. – RobH Jun 12 '09 at 19:49
  • I'll take a reasonable upper limit like 16 chars over an accidental no limit that works for some parts of an app but not others. – Michael Haren Jun 12 '09 at 21:46
  • 9
    How on Earth is 16 characters reasonable? My usual passphrases are much longer than that. A "reasonable" limit is something between 1024 and 65536. – Welbog Jun 12 '09 at 21:52
  • With regard to websites, I would be a sizable fortune that you are in the minority. The average password length for a regular website is probably less than 8 (assuming the minimum is less than 8). – Michael Haren Jun 13 '09 at 13:10
  • 3
    So you're saying it's OK to limit the security of my password because the majority of users don't know anything about security? – Welbog Jun 13 '09 at 15:39
  • "There really should be no limit to the size of password you enter" - not sure I agree with this, I would not want my server to compute the hash for a 3million character password that some helpful user sent in the request. – UpTheCreek Nov 02 '09 at 10:49
  • 2
    @Sosh: I can respect that point of view, which is why I stated that a reasonable limit is something in the 2^10 to 2^16 range, which is several pages of text, but whose hash can be computed relatively quickly. – Welbog Nov 02 '09 at 11:48
  • I basically agree. But... if you allow very very long passwords, users might be more likely to mis-remember them, lock themselves out of their own account, and consume more support resources. Still, a "long" passphrase is more likely to be remembered correctly than `-J]"Z)(2a=2 – JasonSmith Dec 06 '09 at 11:22
  • 3
    If they care about security, they should not be saving anyone's password anyway, but make a salted hash. Those hashes are normally fixed-length, so it doesn't matter how long the passwords is. – dbkk Feb 04 '10 at 04:54
  • I disagree on the character set. Allowing all sets has the potential risk that people cannot login anymore when they are travelling abroad. Of course it depends on what the service is, but generally I would stick with ansi chars. – jackthehipster Jul 15 '14 at 14:16
30

The most common reason for this is because the front-end intgrates with some old legacy system that does not handle more than a given number of characters.

krosenvold
  • 75,535
  • 32
  • 152
  • 208
  • 6
    +1. Well, the most common *valid* reason... I'd guess the most common reason in reality is simple stupidity. – bobince Mar 31 '09 at 18:38
  • And instead of doing the front end properly and working out how to transparently integrate with the back end, they just drag the problems forward into the new system?! – JeeBee Mar 31 '09 at 18:47
  • 1
    @JeeBee The swamp of legacy systems in enterprises can be enough to make grown men weep, even a full team of them. I'm not advocating the solution, but what if that's the only way you manage to stay halfway consistent ? – krosenvold Mar 31 '09 at 19:33
  • .. some *old* legacy system that stores passwords as plain text? – Mechanical snail Aug 01 '12 at 07:07
4

The length restriction is probably due to a storage space concern, but it might be a really bad anti-scripting measure. I'd be a lot more confident if my bank told me my password was too short, rather than too long. Whenever I'm told my password is too short, or "special" characters are not allowed I think, "Oh, they must not have found my password in their dictionary... facepalm."

Any characters should be allowed. Pass phrases should be encouraged, not discouraged. They're much easier to remember than cryptic passwords and much harder to crack since they won't be in a lookup table.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
  • +1 for phrases. I love pass phrases. So easy to remember, and naturally contain non-alphanumeric characters. Just make sure they're not ridiculously obvious. – Welbog Mar 31 '09 at 18:44
  • 1
    @Welbog: The system administrator at my old company was a known Trekkie (he had a Starfleet Academy bumper sticker) and he used the password "spock". Something tells me "Live Long and Prosper" would be only slightly more secure. :) – Bill the Lizard Mar 31 '09 at 19:01
  • One system admin I knew used his fan pseudonym as a password, and it was written up on a poster right next to his desk. And he worked for an international policing agency. Ah, happy days ;-) – Steve Jessop Mar 31 '09 at 19:17
3

Some (poorly designed) websites have maximum password lengths for a simple reason: that's all the space they have in their database to store your password. There's a good chance they're not hashing it or processing it at all, meaning it's stored in plain text. Websites like that I use one use, throw-away passwords for every time. It's a poor design, and it's unfortunate that people still use it.

Robert P
  • 15,707
  • 10
  • 68
  • 112
3

Seems especially stupid, given that any half decent website does not store plaintext passwords in their database, they store a one way hash of that password (which will always be a set length depending on the algorithm used, for example sha1 is a 160 bit digest) and then rehash that password on login to make sure that the newly hashed password matches the stored one.

Other than for frontend design asthetics - I agree, it doesn't make any sense to enforce a maximum password length. Minimum length is entirely different though for obvious reasons.

Max
  • 1,528
  • 1
  • 11
  • 17
2

It could be that the algorithm they use for encryption doesn't work well with large passwords or that they only have limited storage to store it. Both are very poor reasons, I know, but it's possible.

If I were to make password rules, it would only be things to protect users, like forcing them to use at least one special character and number or mixing lower and upper case.

mandaleeka
  • 6,577
  • 1
  • 27
  • 34
1

It could be because they are storing your password as plain text and are trying to save space, but it might also be to try and stop people making their passwords really long and then forgetting them, which means that the company has to send an email with your password, which is a bit of a hassle.

0

The only possible reason to limit a password in that manner would be to simplify the database table, and that's a bad reason. Long, complicated passwords should be allowed!

Futhermore, the site should not be storing the password at all, but rather storing a crypto hash. Since the hash is a fixed size, that makes the database very simple and storage requirements small.

dwc
  • 24,196
  • 7
  • 44
  • 55