At what point in your infinite wisdom did you think it was a security practice to limit the length of my password to 6 or even 8 digits?
Ok, so lets play a little game. There are 94 possible characters on my keyboard, assuming that I can count (probably not though). Now, lets get something straight first, I understand that some programmers don’t know how to properly escape code, so for the sake of this argument we will leave some characters out of the possible password string. So lets say 75, to be fair, because alot of people dont allow certain characters and I can’t count. This ~75 includes punctuation, numbers, capital letters, etc.
The following is # of digits to # of possible passwords:
1 - 75
2 - 5625
3 - 421, 875
…
6 - 177, 978, 515, 625
7 - 13, 348, 388, 671, 875
8 - 1, 001, 129, 150, 390, 625 - thats ~ 1 trillion possible passwords.
…
14 - 178, 179, 480, 135, 440, 826, 416, 015, 625 - that is 100 septillion possible passwords
… It goes on
Now, we all know computers are fairly badass, which would you feel more secure with? Especially, knowing that someone has a password cracking software thatis built to do nothing but generate passwords, and try them against your login?
Ok, while I will agree that 1 trillion possible passwords is a lot, and if you are not using dictionary words, it is MUCH harder for cracking software to work. With 3 more orders of magnitude, you have a much better chance that someone isn’t going to steal your password.
If we take it a bit further and add all of the possible passwords of smaller lengths to the possibilities we have shown above, the numbers increase slightly, but not enough to change the order of magnitude. It still makes a difference, and unless the would-be hacker knows your username, and your password.
Now lets talk storage. Your are hopefully hashing my password to store it in a database, so the length of the password wont matter at all there. Unless of course you are using some proprietary reversible hash so that you can give my password back to me. DONT DO THAT!
I don’t want you to send me my password back. I would much rather have to go through the trouble of resetting it, than have you email it to me.
So what is it? Why the hell are you limiting my password length?
Feel free to list sites that limit password length below. And if you can, send me a link to their reason why!
Sphere: Related Content
Don’t know much about this but maybe the reason why there is a limit on password length is so that one is less likely to forget it?
Yeah, but for the sake of security, at least in my eyes, they should not make that excuse.
If they are worried about people forgetting their password, they should build in a “forgot password” script on the site so their users can retrieve them whenever they want. It takes a small amount of time, and they can’t use that excuse anymore!