Reasons to limit password length

Question

We are currently using a third party software for SSO Login in a hybrid landscape with SAP, ADFS, etc.

The users have to change their password in the client software, which is then sent to a central server in the third party's cloud and used for a system wide synchronized login.

Is this a good idea and really useful? I don't think so, but it is how it is...

But now I wonder, the password policy says that the passwords have to have a minimum of 8 chars/numbers/special chars... so far so good, but the maximum length is also limited to 12.

What does this mean in terms of security, which reasons could this have? Does this mean they don't hash the password and store them in plain text on their servers? There is no two factor authentification setup in any way. I am quite concerned now, could anyone please clarify the situation?

Look in the "Related" column. There are a number of other questions asking similar things. — schroeder, May 02 '17 at 09:20
You have asked very different questions in one. Which do you want answered? Password complexity or whether a Cloud Service Broker is useful? — schroeder, May 02 '17 at 09:21
A limit can make sense, but 12 is too short. I'd allow at least 100 characters. — CodesInChaos, May 02 '17 at 10:14

score 2 · Answer 1 · answered May 02 '17 at 09:47

About password complexity: According to my experience and security standards such as SANS and OWASP, limiting password length to 12 characters is unusual. These standards say that it is better to support enough length, even allow them to set pass-phrases to make their Accounts more secure.

good lock.

Reasons to limit password length

1 Answers1