Should I impose a maximum length on passwords?
I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...
- Wouldn't this just make it easier for brute force attacks? (Bad)
- Does this imply that my password is being stored unencrypted? (Bad)
If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?
Solution
Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.
The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:
- how to secure my website
- Understanding CSRF
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- REST API from mobile app - Does securing the first call with a CAPTCHA make sense?
- How to disable access security notice "A Potential security concern has been identified"
- Addressing critical vulnerabilities in Maven dependencies
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?
- Generating a random password in php
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- Read/write to NFC tag with password protection
- Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
- Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service
- How to read a HttpOnly cookie using JavaScript
- Using PHP to check if there are unsuitable characters in a textarea form