0

I often (almost always) see that the password i choose in a service is limited (to 16, 30, whatever characters).

Are there any reasons for such a limit, provided that it is stored correctly? In such a case its hash will have a fixed length independently of its size.

I can imagine that there could be a limit on the size of the transaction in order not to impact the server (a 12 GB password could hang it, hit some limits etc.). An undisclosed limit of, say, 10000 characters could make sense in that case but I fail to understand the rationale for a 8/16/30/50/etc. characters limit.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • I'm sure you will find multiple resources online that could help you out with this. A limit is usually set to prevent DOS or Buffer Overflows at the server end. Also as per research a password of 16 characters with a combination of letters, digits and special characters has enough entropy to make it nearly uncrackable. Even according to OWASP the limit need not be greater than 128 Check this https://arstechnica.com/information-technology/2013/09/long-passwords-are-good-but-too-much-length-can-be-bad-for-security/ and this https://www.owasp.org/index.php/Authentication_Cheat_Sheet out – Tony Thomas May 28 '18 at 03:33
  • @TonyThomas: I mentioned the case of DoS etc. on the server side and yes, a very large limit is understandable. Beyond that it is up to me to choose a password which ultimately will be stored with the same length. The linked question goes though the (poor) rationale of having the limits and boils down to people implementing things without knowing very much why they are doing it a way or another. I would argue that the OWASP limit is also purly arbitral without any evidence for its existence (especially that short) – WoJ May 28 '18 at 07:27
  • I understand your point. But firstly don't you think the chances of people using long and weak passwords increases if we have an almost indefinite length count like 10000 and secondly there should always be a safe limit agreed upon for example pbkdf2 takes roughly 1 min for 1000000 characters computation and bcrypt for e.g. takes a maximum of 72 characters for passwords. The same limit varies from implementation to implementation. – Tony Thomas May 28 '18 at 08:09
  • however as you rightly said there is no harm in increasing the limit from 16 to a more larger value like say 1000. Again this should be done keeping in mind the efficiency of the hashing / encryption method used and the time it takes. – Tony Thomas May 28 '18 at 08:11

0 Answers0