Should I impose a maximum length on passwords?

security encryption passwords
nickf picture nickf · Sep 19, 2008 · Viewed 77.2k times · Source

I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...

  • Wouldn't this just make it easier for brute force attacks? (Bad)
  • Does this imply that my password is being stored unencrypted? (Bad)

If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?

Answer

epochwolf picture epochwolf · Sep 19, 2008

Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:

The obligatory XKCD

Related questions

How to send password securely over HTTP?

If on a login screen user submits a form with his username and password, the password is sent in plain text (even with POST, correct me if I am wrong). So the question is what is the right way to …

Read More
SHA512 vs. Blowfish and Bcrypt

I'm looking at hashing algorithms, but couldn't find an answer. Bcrypt uses Blowfish Blowfish is better than MD5 Q: but is Blowfish better than SHA512? Thanks.. Update: I want to clarify that I understand the difference between hashing and encryption. …

Read More
Difference between Hashing a Password and Encrypting it

The current top-voted to this question states: Another one that's not so much a security issue, although it is security-related, is complete and abject failure to grok the difference between hashing a password and encrypting it. Most commonly found in …

Read More