Ask HN: What are valid reasons for limiting password length?

frou_dh · on Nov 23, 2013

If it was in fact 1-1000 then some nerd would be complaining about muh 1024 convention. Next, the 1MB guy.

I don't see how where the line is drawn (and realistically it has to be drawn somewhere for a public service) necessarily implies anything about whether proper hashing is being done.

bdfh42 · on Nov 22, 2013

I am sure you are quite correct - any limitation (within reasonable bounds for a web page control) is a strong indication that a web site is not hashing you password. At best they are encrypting it - and that is bad bad bad.

krapp · on Nov 22, 2013

The only justification i've ever heard is that it's an attempt to prevent DOS attacks by forcing a site to try to hash multiple insanely long passwords.

I don't know if that's even valid though, it doesn't sound plausible to me.

kevin-brown · on Nov 23, 2013

It's plausible enough that Django released 1.5.4 to limit password length. Yes, they later 1.5.5 which removed the limit, but it still showed that it was a possible problem in some implementations.

https://www.djangoproject.com/weblog/2013/sep/15/security/

6thSigma · on Nov 22, 2013

Websites that allow you to use a 128 character PW could very well be cropping it at whatever their max PW length is FWIW.

csixty4 · on Nov 23, 2013

Depends what you mean by "legit". I once asked a project manager if the client had and legally-mandated rules for passwords. The response from the client was (paraphrased) "no legal requirement. Let's go with 6-12 characters, at least one number and one symbol". I suggested a higher (or no) upper limit, but I was told to just give them what they wanted.

"It's what the client wants" is a rather legit reason, whether the rules come from a legal standard for their industry or completely out of their rear end.

wnevets · on Nov 22, 2013

Would the performance lost be minimal if my password is 1GB in size?

RobinUS2 · on Nov 22, 2013

Highly unlikely. Probably it will hit some kind of max post size in the webserver. However 128 characters is nowhere near 1GB. I think the gap is quite significant.

byoung2 · on Nov 22, 2013

Maybe they are storing your password in plain text in a VARCHAR(16) field, which is a scary thought. It is also likely that enforcing a short password encourages users to choose passwords that are easy to remember...longer passwords would encourage users to write them down or keep them in a text file.

bdfh42 · on Nov 22, 2013

There are no excuses for storing plain text passwords - ever!

Just do not do it - it will always end in tears.

_nneq · on Nov 22, 2013

I never thought about your situation. As a kid web dev I used to limit password size for db issues as 'byoung2' said: like using a VARCHAR(42) or something like taht depending on the way I store the hash! Anyway, next time I'll think about you and allow user more space for password! :)

bennyg · on Nov 22, 2013

No, no, no. You want to use a hash function that's going to keep it at a length already. In fact just use BCrypt, and don't do anything funky yourself.

jeffblake · on Nov 22, 2013

My bank required that I could only use a 6 character alphanumeric password when signing up. Kind of scary, but then again, it made me choose a super random PW like v3Ff78 whereas most all people in that situation would use their same password for everything, such as baseball. Thats my theory anyway

wikwocket · on Nov 23, 2013

Even a "super random" 6-character alphanumeric password is not very secure. A brute force algorithm can try the entire space of 6-character strings very quickly. Hopefully they rate-limit login attempts!

andrewcooke · on Nov 24, 2013

the only limit that comes to mind is 16kB (IIRC some servers limit at that) for an HTTP header parameter (since presumably it will be posted).

but as others have said, the reason is likely to be blind following of poorly thought-out specs.