userstyles.world icon indicating copy to clipboard operation
userstyles.world copied to clipboard
verified publisher icon userstyles-world

Please don't restrict *maximum* password length

Open nc7s opened this issue 1 year ago • 4 comments

Restricting minimum length is good for security, but maximum? There is no point, it's hashed anyway.. unless it's stored clear text.

image

nc7s avatar Jul 23 '24 16:07 nc7s

Technically, that's not really a problem: any modern web server should easily handle a maximum size request, and if there are too many of them, be able to rate limit. Or: hash in the browser ;)

Joking aside, I personally use something like 40 to 64 in the password generator, and yes, I agree it's very rare to see high 2- or even 3-figure length passwords, if they exist at all. So something like 96 or 192 would suffice.

But no, please don't discriminate between "letter only passphrase" and "password with non-letter chars"; they are just passwords, hashed before being stored. Services shouldn't know anything about them other than the final hashes.

nc7s avatar Jul 23 '24 18:07 nc7s

Why a limitation at all?

Accepted there are technical limitations like the bytes sent to the web server...

What others are doing...

  • Linux The maximum length of a password supported by the pam_unix module via the helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the password provided by the conversation function to the module will be ignored. Source
  • Windows The logon dialog is limited to 127 characters, however. Therefore, the longest password that can be used to log on interactively to a computer running Windows is 127 characters. Theoretically, programs such as services can use longer passwords, but they must be set programmatically because the password change dialog will not allow a password longer than 127 characters. #define PWLEN 256 // Maximum password length
    image

So it would be great to a) make the limitation big (3-figures) and b) display the restriction in the UI (or at least in an error message) explicitly.

lennybacon avatar Aug 22 '24 10:08 lennybacon

Arguably, OS code is hard to change once written, the usual "backward compatibility" shenanigans, mostly because it stays on customer hardware developers don't control. Websites are more fluid and flexible, and run on developer controlled hardware.

That said, 256 is probably enough.

nc7s avatar Aug 22 '24 19:08 nc7s

If they use bcrypt2 to hash passwords, then they do have a hard limit on the algorithm level, 56 characters (or rather bytes). That said, 32 characters seems to be random.

jedenastka avatar Oct 26 '24 23:10 jedenastka