securityencryptionpasswords

Should I impose a maximum length on passwords?


I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...

If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?


Solution

  • Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

    The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:

    The obligatory XKCD