

Ask HN: What are valid reasons for limiting password length? - RobinUS2

I personally get very frustrated if websites reject my 128 character random generated passwords with some error message like &quot;Password too long, maximum of 16 characters&quot;.<p>Are there any (legit) reasons for doing this? I couldn&#x27;t come up with one as they should hash them, and it doesn&#x27;t matter for the hash function whether the input is 1 or 1000 characters long. Performance loss is minimal.<p>It really feels like they are using encryption, instead of hashing. Which would be a major security issue.
======
frou_dh
If it was in fact 1-1000 then some nerd would be complaining about _muh 1024
convention_. Next, the 1MB guy.

I don't see how where the line is drawn (and realistically it has to be drawn
somewhere for a public service) necessarily implies anything about whether
proper hashing is being done.

------
bdfh42
I am sure you are quite correct - any limitation (within reasonable bounds for
a web page control) is a strong indication that a web site is not hashing you
password. At best they are encrypting it - and that is bad bad bad.

~~~
krapp
The only justification i've ever heard is that it's an attempt to prevent DOS
attacks by forcing a site to try to hash multiple insanely long passwords.

I don't know if that's even valid though, it doesn't sound plausible to me.

~~~
kevin-brown
It's plausible enough that Django released 1.5.4 to limit password length.
Yes, they later 1.5.5 which removed the limit, but it still showed that it was
a possible problem in some implementations.

[https://www.djangoproject.com/weblog/2013/sep/15/security/](https://www.djangoproject.com/weblog/2013/sep/15/security/)

------
6thSigma
Websites that allow you to use a 128 character PW could very well be cropping
it at whatever their max PW length is FWIW.

------
csixty4
Depends what you mean by "legit". I once asked a project manager if the client
had and legally-mandated rules for passwords. The response from the client was
(paraphrased) "no legal requirement. Let's go with 6-12 characters, at least
one number and one symbol". I suggested a higher (or no) upper limit, but I
was told to just give them what they wanted.

"It's what the client wants" is a rather legit reason, whether the rules come
from a legal standard for their industry or completely out of their rear end.

------
wnevets
Would the performance lost be minimal if my password is 1GB in size?

~~~
RobinUS2
Highly unlikely. Probably it will hit some kind of max post size in the
webserver. However 128 characters is nowhere near 1GB. I think the gap is
quite significant.

------
byoung2
Maybe they are storing your password in plain text in a VARCHAR(16) field,
which is a scary thought. It is also likely that enforcing a short password
encourages users to choose passwords that are easy to remember...longer
passwords would encourage users to write them down or keep them in a text
file.

~~~
bdfh42
There are no excuses for storing plain text passwords - ever!

Just do not do it - it will always end in tears.

------
Wezc
I never thought about your situation. As a kid web dev I used to limit
password size for db issues as 'byoung2' said: like using a VARCHAR(42) or
something like taht depending on the way I store the hash! Anyway, next time
I'll think about you and allow user more space for password! :)

~~~
bennyg
No, no, no. You want to use a hash function that's going to keep it at a
length already. In fact just use BCrypt, and don't do anything funky yourself.

------
jeffblake
My bank required that I could only use a 6 character alphanumeric password
when signing up. Kind of scary, but then again, it made me choose a super
random PW like v3Ff78 whereas most all people in that situation would use
their same password for everything, such as baseball. Thats my theory anyway

~~~
wikwocket
Even a "super random" 6-character alphanumeric password is not very secure. A
brute force algorithm can try the entire space of 6-character strings very
quickly. Hopefully they rate-limit login attempts!

------
andrewcooke
the only limit that comes to mind is 16kB (IIRC some servers limit at that)
for an HTTP header parameter (since presumably it will be posted).

but as others have said, the reason is likely to be blind following of poorly
thought-out specs.

