Should I impose a maximum length on passwords?
I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...
- Wouldn't this just make it easier for brute force attacks? (Bad)
- Does this imply that my password is being stored unencrypted? (Bad)
If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?
Solution
Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.
The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- Read/write to NFC tag with password protection
- Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
- Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service
- How to read a HttpOnly cookie using JavaScript
- Using PHP to check if there are unsuitable characters in a textarea form
- Why androidx.security.crypto.MasterKeys is deprecated?
- Login session id's with hash
- Convert String to SecureString
- Is there a way to avoid MITM attacks without encryption?
- How to Detect Web Scrapers Using Chrome DevTools Protocol (CDP) Instead of Selenium or Puppeteer?
- Using API keys in a react app
- Session cookies http & secure flag - how do you set these?
- Node.js hashing of passwords
- KeyCloak Java Service Account Create User
- Windows Property Pages: Domain Path Not Shown on Security Tab
- How do I keep a log of all user requests for a specific route properly?
- Session Fixation in ASP.NET
- How to give non-root user in Docker container access to a volume mounted on the host