Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please don't restrict *maximum* password length #314

Open
nc7s opened this issue Jul 23, 2024 · 4 comments
Open

Please don't restrict *maximum* password length #314

nc7s opened this issue Jul 23, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@nc7s
Copy link

nc7s commented Jul 23, 2024

Restricting minimum length is good for security, but maximum? There is no point, it's hashed anyway.. unless it's stored clear text.

image
@nc7s nc7s added the bug Something isn't working label Jul 23, 2024
@nc7s
Copy link
Author

nc7s commented Jul 23, 2024
edited
Loading

Technically, that's not really a problem: any modern web server should easily handle a maximum size request, and if there are too many of them, be able to rate limit. Or: hash in the browser ;)

Joking aside, I personally use something like 40 to 64 in the password generator, and yes, I agree it's very rare to see high 2- or even 3-figure length passwords, if they exist at all. So something like 96 or 192 would suffice.

But no, please don't discriminate between "letter only passphrase" and "password with non-letter chars"; they are just passwords, hashed before being stored. Services shouldn't know anything about them other than the final hashes.

@lennybacon
Copy link

lennybacon commented Aug 22, 2024
edited
Loading

Why a limitation at all?

Accepted there are technical limitations like the bytes sent to the web server...

What others are doing...

  • Linux
    The maximum length of a password supported by the pam_unix module via the helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the password provided by the conversation function to the module will be ignored. Source
  • Windows
    The logon dialog is limited to 127 characters, however. Therefore, the longest password that can be used to log on interactively to a computer running Windows is 127 characters. Theoretically, programs such as services can use longer passwords, but they must be set programmatically because the password change dialog will not allow a password longer than 127 characters. #define PWLEN 256 // Maximum password length
    image

So it would be great to a) make the limitation big (3-figures) and b) display the restriction in the UI (or at least in an error message) explicitly.

@nc7s
Copy link
Author

nc7s commented Aug 22, 2024

Arguably, OS code is hard to change once written, the usual "backward compatibility" shenanigans, mostly because it stays on customer hardware developers don't control. Websites are more fluid and flexible, and run on developer controlled hardware.

That said, 256 is probably enough.

@jedenastka
Copy link

If they use bcrypt2 to hash passwords, then they do have a hard limit on the algorithm level, 56 characters (or rather bytes). That said, 32 characters seems to be random.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lennybacon @nc7s @jedenastka