What technical reasons are there to have low maximum password lengths?

  • I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care about their security.

    I understand most people will pick short passwords like "password" and "123456" but are there technical reasons to force this? Using an application like 1Password, almost all my passwords are something like [email protected]#^L;[email protected]<P]uzt or other randomly generated long strings of unlikely to guess things.

    • Are there specific reasons why websites enforce strict bounds on password lengths (more like 8 or 10, I understand why 100000000 might be a problem...)?

    I must add that a safe password can also be "correct horse battery staple". There is no reason for this and I can only tell you to contact the sites that still enforce this rule.

    @s4uadmin No, "correcthorsebatterystaple" is not safe because it is so wide-known and will probably exist in a dictionary attack. Also, tried using this password on DropBox?

    @AlvinWong I believe s4uadmin provided a well-known example, not the suggestion that somebody actually select "correct horse battery staple" as their own literal password.

    @JeffFerland Yeah, my comment responsed to s4uadmin *literally* while you responsed *figuratively*. I myself *do* use a long password, not "correcthorsebatterystaple" though...

    @s4uadmin: Never heard of a dictionary attack, huh?

    @AlvinWong , from Dropbox's javascript source code, this is an eastern egg: `if (pwd == 'correcthorsebatterystaple' || pwd == 'Tr0ub4dour&3' || pwd == 'Tr0ub4dor&3') { // easteregg [...]`

    Mehrdad, a dictionary attack will not work here. Unless your dictionary has words like Correcthorsebatterystaple

    Not forgetting that hackers now have 'correct horse battery staple' as the *first* entry on their brute force lists :)

    I don't mean to say I endorse this idea, but I have been asked to use a password that is easy to remember because writing it down is a security risk. This could be a technical / human reason for keeping them short. I disagree because by the time someone has their hands on your written password or on your text document where you might have saved it, then your security measures have already failed.

    I asked one such institution, which has a short maximum password length, about this a year ago. Their response to me: "When assessing this with our risk management, it was determined that a 10 character maximum password would be sufficient."

    In a similar vein, why would a site restrict the types of characters that can be used in a password, for example, no punctuation `[email protected]#%".` etc...?

    My hypothesis: because the password is stored plaintext in a database column type `varchar(10)`

    @Ryan A "brute force list"... So at least they have to try the word list (dictionary) before. :-D

    My University has a 16-character maximum password length limit. So when I arrived, I made a 16-character password. Then I tried logging in to their VPS, and it wouldn't work (just died every time, with no error). IT couldn't figure it out for ages. It finally turned out to be because the Cisco router they were using for the VPS only handled up to 12-character password... So my effective upper limit is now 12 characters, if I want to use the VPS.

    Just tried `correcthorsebatterystaple` as a password on Dropbox, and it actually let me sign up. Sad.

  • Take five chimpanzees. Put them in a big cage. Suspend some bananas from the roof of the cage. Provide the chimpanzees with a stepladder. BUT also add a proximity detector to the bananas, so that when a chimp goes near the banana, water hoses are triggered and the whole cage is thoroughly soaked.

    Soon, the chimps learn that the bananas and the stepladder are best ignored.

    Now, remove one chimp, and replace it with a fresh one. That chimp knows nothing of the hoses. He sees the banana, notices the stepladder, and because he is a smart primate, he envisions himself stepping on the stepladder to reach the bananas. He then deftly grabs the stepladder... and the four other chimps spring on him and beat him squarely. He soon learns to ignore the stepladder.

    Then, remove another chimp and replace it with a fresh one. The scenario occurs again; when he grabs the stepladder, he gets mauled by the four other chimps -- yes, including the previous "fresh" chimp. He has integrated the notion of "thou shallt not touch the stepladder".

    Iterate. After some operations, you have five chimps who are ready to punch any chimp who would dare touch the stepladder -- and none of them knows why.


    Originally, some developer, somewhere, was working on an old Unix system from the previous century, which used the old DES-based "crypt", actually a password hashing function derived from the DES block cipher. In that hashing function, only the first eight characters of the password are used (and only the low 7 bits of each character, as well). Subsequent characters are ignored. That's the banana.

    The Internet is full of chimpanzees.

    Oh, and I thought the bears were taking over the internets...

    several chimps were harmed during the making of this answer. ( btw, loved the explanation!)

    Is there any evidence that this is indeed the reason? E.g. has anyone actually asked someone who designed a system with a max password length why they did it that way?

    By the nature of the answer though, the chimpanzee developer should no longer be there.

    Simple solution... let me set my password to whatever I want and just truncate it when I submit it. At least give me the illusion that I am actually choosing my password. Then again you couldn't enforce numbers and weird character rules (good thing in my opinion)

    @Joe that shakes my confidence in the service. Never store my passwords in plain text. Would you be happy to see this? http://thenextweb.com/microsoft/2012/09/21/this-ridiculous-microsoft-longer-accepts-long-passwords-shortens/

    @kush truncation upon submission doesn't prevent hashing, though hashing does remove the point of truncating upon submission.

    .. That's the banana... i would more state that DES-crypt using first 8 characters is the water hose. For your story to be complete you should remove the water hoses, and see who dare to challenge again...

    In other words, modern algorithms implemented properly and there is absolutely no reason for a maximum password limit, other than to make it not completely insane (lets see, say a 1MB long password?). Old Windows NT LANMAN hashes had similar problems with being a maximum of 14 characters which are split into 2x 7 character passwords and hashed without salting.

    That's why you should not document the how but the why. And that goes for all rules.

    I'm with @LarsH. Are we sure that all of this can actually be traced back to the crypt function?

    @LarsH & Kevin, Whaat?! Are you actually _thinking_? No no no, you should blindly upvote and agree. It's a bit ironic, you see, you won't get an answer for that, you're expected to behave much like the chimpanzees in the answer itself.

    @LarsH: One day I asked a chimp (level 2 technical support for resetting passords, on the phone) why the passwords had to be 6 digits and no more (no letter), generated by the system and sent via untracked paper mail. The answer was "We are a bank and cannot take any security risks". Gave up the banana.

    You can even remove the water hoses, and the chimps will still beat up anyone who touches the stepladder.

    "That's the banana." What's the banana, the fact that `crypt()` used to ignore any characters after the first 8? That doesn't seem to fit the analogy, where the banana is the reward everyone can see is desirable, but which chimps have learned by tradition that they shouldn't go after. Seems to me, the banana is something like "higher security by allowing longer passwords". The limitations of legacy `crypt()` might be the *waterhose* rather than the banana. (Correspondence between the analogy and reality is of course hypothetical.)

    @PPC Anecdotal evidence FTW!!

    How do the chimps get into the tubes though?

    OMG, the net is full of chimps. Just for the record, I am currently working on a project to remove 8 character limit on passwords for a client who has over 40,000 users and a lot of applications. Things are not as simple as many of you would like to think. Yes, the crypt() limit is the basic reason for the 8 character limit. Crypt was required to support legacy apps. The 8 char limit made sense when it was originally imposed (CPU, net, I/O speed).

    I have created my account on this site just to upvote your answer. Awesome explanation! You sir, are a true genius!!

    b..but, i thought my bank restricts me to 8 characters for my protection

    @LeoKing This is security.stackexchange, so people don't merely stop at 666, they aim for Strong Primes.

    Something similar to how religion works. Made me smile. Thanks for the amazing analogy.

    +1; Last time I heard this explanation, it ended with "This is what we call <>".

  • These restrictions are often put in place for various reasons:

    • Interaction with legacy systems that do not support long passwords.
    • Convention (i.e. "we've always done it that way")
    • Simple naivety or ignorance.

    As far as security goes, there is no need to limit password lengths. They should be hashed anyway, using a KDF such as bcrypt. To help with performance, it might be worth placing a very large limit (e.g. 512 characters) on the password length, to prevent someone sending you a 1MB password and DoS'ing your server for 10 seconds whilst it computes the hash.

    For what it's worth, good password hashing functions will not be much impacted by password length. With PBKDF2, used with HMAC, the password is the HMAC _key_, so, by application of HMAC, it is first normalized to a value no longer than one internal block (typically 64 bytes). To get 10 seconds of extra CPU work because of a very long password, that password should be about 1.5 GB long, not a mere megabyte.

    Yup, would probably DoS the bandwidth long before the CPU

    There is no hashing function which makes a password like `asdfhjkl` secure.

    @Kaz Nobody said there was.

    @Kaz What if you salt it?

    @Polynomial bcrypt would only have the password length have any effect on CPU time on the first iteration IIRC and then it's just a single hash of 1MB of data (your server that slow to hash 1MB?). I think bandwidth is a lot more of a problem.

    @JoePhilllips: Salting doesn't improve the security of a password inherently, it only protects against offline attacks. Even then, a password like "asdfhjkl", being only eight characters, is quite possible to break so long as you know the salt. Salting doesn't help an individual password much at all, but it protects the whole database enormously by making it impossible to check a single set of passwords in one iteration--you need a check for every single user. The individual passwords are still weak and susceptible to being cracked, but only if they're important enough to bother targeting.

    with the talks of passwords in Mega and Giga ranges, why don't just use Files as passwords? I believe it is used in some places (truecrypt also does it)

    Each character in a password phrase contributes some entropy to the hash. But if the hash is ultimately some N-bit string, then it's superflous if the password phrase has much more than N bits of entropy. Let's make a ridiculous example. Say the hash is 16 bits wide and you use a one megabyte password. The cracker may well find some very short character combination which produces the same hash, and therefore serves in place of your one megabyte password. There is definitely diminishing returns beyond some password length with respect to the strength of the hashing function.

    @Kaz: Your statement "Each character in a password phrase contributes some entropy to the hash" is not always true: because of dictionary attacks, "correct horse battery stapl" is a (less bad) password than if you add the final E

    @PPC Password quality != password entropy. Entropy is a purely statistical measure.

    What - no chimps?!

    You can add "Our customers are too stupid to remember long passwords" to your list of reasons. Not that they are stupid, just perceived that way.

    "As far as security goes, there is no need to limit password lengths. They should be hashed anyway, using a KDF such as bcrypt." Note that bcrypt has a 72-character upper bound; it simply ignores anything beyond that.

    1. If they store it in plaintext or encrypted plaintext, then that's probably the maximum value that can be stored in the DB. On the other hand one should get as far as possible from these sites
    2. To avoid DOS attacks. This is usually if they have a very high limit, like 512 or 1024 bytes
    3. To comply with regulations that are actually made by people not knowing anything about IT security
    4. For legacy reasons, as Tom Leek has pointed out

    Btw. here is a (historical) list of high ranking sites having maximum password lengths:

    http://web.archive.org/web/20130907182806/https://defuse.ca/password-policy-hall-of-shame.htm

    To build on this: the longer the password, the more expensive it is to hash. This is a horrible argument since hashing a 128 chars with PBKDF2 should only have a negligible cost over hashing 8 chars, nullifying any DoS risk (from just pw length). Worse still would be to store the password in plain text, though that might raise storage concerns. I'm all for limiting password length, but I see no reason for that limit to be less than a hundred.

    As an aside, it's worth pointing out that all passwords are of limited length. Even if the form allows unlimited characters, the web server is almost certainly set up with a maximum POST payload size. Even if the web server isn't configured to reject requests, eventually your browser and/or PC will run out of memory to store the password. Sure, most normal people won't try to enter mega-long passwords, but--especially for a high value target like a bank--a developer worth his salt ought to be able to tell you what that limit is and what happens when it gets hit.

  • I asked this question at Bol.com, one of the biggest webshops in the Netherlands. Their response was to prevent being flooded with support emails about forgotten passwords. They then curiously ignored my inquiry about the password reset feature which just emails you a reset link when you have forgotten your password.

    I've concluded that it's most likely a decision from the management team. Alternatively it might be that they don't hash passwords and use this to prevent their database from being flooded (even though you can have a longer username, so this seems unlikely). They also did not respond to a question about whether they hash passwords (you'd think if everything is alright there would be no reason not to reply).

    My supermarket (online shopping) trots out the same excuse. Utterly ridiculous and clearly implemented by someone with no concept of security.

    Looks like some of those chimpanzees got a job at Bol.com :-)

    Haha, basically the same for the german company Telekom :D

  • I would cite an attempt to reduce customer service related issues.

    The larger and more complex passwords are, the higher the likelihood for the customer to enter an invalid password, get locked out and then contact customer service tying up that individual's time.

    It is amazing how many people are unable to accurately type a normal weak password, let alone a password that is a few characters longer or had to have an extra character or 2 injected for complexity.

    Possibly OT but, lengthy passwords are not necessarily a guaranteed true security measure since passwords are straight-out stolen on a fairly common basis nowadays.

    Failed login attempts and Tracking geo-distance from normal login usage is far more accurate metric. if an IP belonging to a known high hacking/attack profile country logs into an American bank and that login has never been used from that location before.....

    A lot of high profile places such as SF/banks generally have a very low failed login attempts count with resulting system-wide lockdowns. Some such as SF go as far as doing individual IP allocation, which means you can't log in from a new IP address without authorizing it.

    This may be the thinking, but IMHO this line of thinking is deeply flawed. Why take way the option of using long, secure passwords because some users prefer short ones? A password reset doesn't usually involve customer service intervention. Also, if passwords *can* be "straight-out stolen" (e.g. they are stored in plain text) then you are doing it completely wrong.

    From my experience, customers not typing/remembering their password correctly does tie up customer support via e-mail and phone. By Passwords being stolen, I am referring to the millions of zombified computers with trojans/key listeners and the numerous phishing attempts. Symantec posted # a few year back on the # of passwords stolen.

    @MDR: If they are not allowed to use longer/stronger passwords, their passwords are easily cracked and again they will come to customer support. And, why should the users come to customer support if they **forget** their password, **if** your web service offers the **forgot my password** feature.

    Good answers, but in order to please the constituency of "users who will invent long passwords even when they can have short ones, then forget them and call up instead of using the password reset", you shut out the "users who use long passwords in a password manager". Pandering to fools an endless, pointless task, so it's better to educate the forgetful group and enable the sensible group. This is IMHO why small password length limits are a deeply flawed idea.

    @SaiManojKumarYadlapati: if a password can be brute forced there is a flaw in your system. Further more if a password can be stolen through keylogger/zombified computer, which happens on a very regular basis, and access to "critical" information is gained, this also represents a flaw in the system.

    @Anthony: You make a good, but what I believe to be theoretical point. I know our company staffs several individuals for "customer relations". I know that the top 2 reasons for customers to call in or email us, that are not related to business specific issues, are all login related. The #1 reason is "they were signed up with the wrong email address" The #2 reason is they can't type their password/don't remember their password. And while I agree 100% with what you are saying my professional experience (at no scale of a large bank) shows that this issue can cost a business owner money.

    @MDR: System wide lockdowns and individual IP allocation etc. are not features but punishments for genuine users when some one tries to crack their account. Sorry that I lost internet connection before completing my comment previously.

    Meh. "passwords can't be done securely because users are too stupid" is a council of despair. Shocking to see it at a bank.

    One more question: Supporting users costs money. We know this. But do you know for sure that your costs will go up if you allow longer passwords, or is it just a superstition? What is the evidence? What you are doing is lowering your day-to-day costs (maybe) but also raising the odds that could lose big at the hacker lottery if your password db is penetrated. You have a saving (maybe) but need to weigh it against the other cost, or it is a false economy.

    I've addressed all of these issues in the inline comments.

    Surely there'd be no need to reduce the maximum size, though. Just don't set a minimum. The kinds of people who use longer passwords would presumably be able to remember them better (eg, using a password manager or some kind of pattern). I imagine the people with shorter passwords have shorter passwords for the purpose of remembering them better (which does make them very vulnerable to brute force attacks, though).

    I don't see how forcing users to not use the memorable password they thought up is going to make passwords easier to remember.

  • "Interaction with legacy systems that do not support long passwords." as mentioned above is the reason for one company I worked at to enforce a maximum password length.

    As a variation on the trope "a group moves as fast as its slowest member" the use of multiple systems which all users had to have access to using the same login credentials meant that any restriction by one of those systems would then have to be applied to all accounts.

    So if one application a didn't like ^ then all passwords for all systems couldn't have a ^. If one program didn't like passwords > 8 chars then all accounts had to have passwords < 9 chars. So in a complex environment like BigCo where I worked this might involve a dozen or two dozen different pieces of software; the LCD was what everyone got.

    They used IE6 as well.

    I lol'd at your last sentence.

    A group with slow members really needs a lion in the back to keep the motivation.

    does IE6 security count as a lion in the back?

    @SargeBorsch The more general statement holds that it does count as a `x` in the `y` for some values of `x, y`.

    @TobiaTesan I love your comment

  • Another possibility I'd like to address that hasn't already is that passwords are sometimes limited by the length of the field that is used to save them, when saved in plain-text. If your field is a VARCHAR(32), then you can save 32 characters at most.

    However, this means something even worse - that the password is saved in plain-text. This is why we accept these sorts of offenses as (lightweight) evidence at plaintextoffenders.com.

    This. If they hashed passwords, they'd all be the same length. Therefore, if a site says "max length X characters", I assume they're either 1) storing plaintext or 2) using a pointless validation. #1 seems more likely.

    Is showing the password in the email proof that they're storing it in plain-text? Couldn't they hash and store it after they send the email? Not saying that they are of course, and I think sending the password in an email is probably insecure for another reason, but it doesn't seem like definitive proof at least.

    Email being an insecure medium by definition, this is ill-advised. Not to mention that people may never delete the email and anyone with access to their mailbox can just look up the word "password" and have instant access to their account.

  • A password length limit is reasonable as long as that limit still allows for strong passphrases; e.g., the limit isn't less than 64 characters. A loud limit when setting the password is significantly better than silently truncating the password.

    If the application ultimately stores the password with 128 bit (hopefully salted and key-stretched) hash, there's no gain in allowing passwords longer than ~64 characters. E.g., with a diceware passphrase with 5 character words with spaces between them, a 64 character passphrase allows 10 words which would have an entropy of more than 128 bits.

    A developer potentially could be worried about SQL injection or buffer overflow attacks injected via the password field -- granted you should use the standard methods to prevent these attacks: always use bound parameters with SQL (versus string manipulation to construct queries) and always properly bounds check your strings (possibly by using a safe programming languages or safe libraries with built in protections). You need to be worried about these attacks on all user input; this is not unique to the password field so the protection gained by a maximum password size is likely negligible.

    There could be tangential reasons for limits as well. A bank that gives users ATM cards with a PIN (personal identification number) may choose to force users to use PINs between 4-10 digits in length. Allowing a user to set and use a 50 digit PIN likely would have little security gain in practice over say a 8 digit PIN - when an attacker needs both a user's ATM card (that hasn't been called in as stolen), use a monitored ATM, and gets locked out after 4 wrong attempts. A 50 digit PIN, could be more expensive in human costs for your bank, as it would be forgotten/input incorrectly more frequently - maybe trigger an employee to investigate (e.g., check the ATM video and compare with previous successful transactions) or have an employee walk the customer through some necessarily lengthy password reset mechanism (e.g., the reset mechanism has to be costly so it is not the weakest link). This whole process could lead to poor customer user experience which the bank wants to avoid.

    Steamstore has 63 characters as a limit. I guess to avoid long/integer overflows .

  • As others have already noted, the big reason that comes up for 8 characters or less is dealing with older systems that don't support anything longer than that.

    Then there is the general good idea of placing some upper bound on what is reasonable. Lets say that is 500 characters. It wouldn't be unreasonable to think anyone providing more than 500 characters for a password might be up to no good.

    But even if you are using a currently recommended password hashing system there are still limits. Bcrypt, which is widely used and from what I can tell generally considered a good/strong option for hashing passwords, only deals with the first 72 characters. Anything beyond 72 characters is thrown away. If my password is 100 characters long and yours is 150, if they start with the same 72 characters bcrypt will consider them the same.

    Given that specific limit in bcrypt, if you are using bcrypt you may want to enforce a 72 character limit to make sure that all unique passwords are actually considered unique by your authentication system.

    `to make sure that all unique passwords are actually considered unique by your authentication system.` sorry, but you cannot. That's why we use cryptographically strong hashes.

    I do not think that there is any reason to enforce a rule that every user should have a unique password. Two different users can very well have the same password. The only disadvantage of bcrypt throwing away everything beyond the first 72 characters is that anyone trying to crack a password only has to try strings of maximum length = 72, i.e. even if I set a password 100 characters long, the extra 28 characters do not give me any additional security.

  • Many sites think it is not needed to have long password since there is brute-force protection (like limiting number of login attempts per IP), which makes very little difference to have long vs short passwords, in both cases it would take years to try all possible combinations.

    The one recomndation would be to use random characters ([email protected]#$%^&*-_=+/\'") a long with a-z A-Z 0-9.

    Depending on RDBMS, some of these additional characters could be used for SQL injections and would hopefully end up being omitted during input parameters sanitization, so I wouldn't really recommend their use without mentioning that the permitted characters can vary, and should be used with caution.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM