dumb-password-rules icon indicating copy to clipboard operation
dumb-password-rules copied to clipboard
verified publisher icon duffn

Password has a max length = not hashing passwords?

Open smtchahal opened this issue 3 years ago • 8 comments

The entry for NordVPN states

Claims to protect your security. Can't even hash a password.

supposedly because they don't allow passwords longer than 48 characters.

Is the implication here that having a, say, low max length necessarily means that the server is not hashing the password?

If the hash is computationally expensive (e.g. with argon2), then as the password length grows, so does the computation time. There has to be some sane limit to it, just to prevent a DoS because of a malicious user with an absurdly long password.

Thoughts?

smtchahal avatar Apr 30 '22 14:04 smtchahal

I'm not sure about that particular entry in regard to "Can't even hash a password".

The length, however, is just arbitrary. There was a discussion somewhere on adding Google because their max was 99 characters, but that seems like enough to me, so it wasn't added. 48 seems a bit low to me, so it's on the list. It's just made up.

duffn avatar Apr 30 '22 16:04 duffn

So 48 is made up, but 99 is... based on research?

I think we need a concrete number as to what's considered an acceptable upper limit (which definitely needs to be there). But assuming passwords are stored unhashed just because there's a certain upper limit is just silly.

smtchahal avatar Apr 30 '22 17:04 smtchahal

I didn’t state any sort of research. They’re both made up. 99 seems long enough to me, 48 doesn’t. That’s it.

duffn avatar Apr 30 '22 17:04 duffn

That's fair. I still think we need a number though. I mean 48 seems long enough to me, but that's just always going to be subjective unless we agree upon a number.

I also think we should re-word the NordVPN entry. Hashing should not be put into question without a valid reason.

smtchahal avatar Apr 30 '22 17:04 smtchahal

Please feel free to open a PR to update the Nord entry! I agree, it sounds odd.

duffn avatar Apr 30 '22 17:04 duffn

Done! See #416.

Let's do something about the max length as well now. OWASP doesn't directly say it, but it does mention 64 characters as a "common maximum length due to limitations in certain hashing algorithms".

Let's go with that then? That 64 characters should be the lowest reasonable max length? We could add it to #219 maybe?

smtchahal avatar Apr 30 '22 17:04 smtchahal

Sure, 64 seems reasonable to me. Though if somebody allows a 70 character password but it’s all lowercase or something absurd like that, then that’s dumb.

duffn avatar Apr 30 '22 18:04 duffn

Agreed! Other dumb password rules still apply. I only opened this issue to discuss password length.

smtchahal avatar Apr 30 '22 18:04 smtchahal

I added a section here on the new about page on what makes a dumb password rule. https://dumbpasswordrules.com/about/

No specific length really, so our previous discussion still applies. I'll continue to happily review any and all PRs for new entries or updates!

duffn avatar Feb 15 '23 02:02 duffn