Am I missing something? Why do passwords get length caps?

3 pointsAquiGorka2y ago9 comments

E.g. Atlassian caps at 100 chars. Why would they do so?

9 comments

Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters. The speed of password hashing (which is deliberately designed to be slow to impede brute-force attacks) might also significantly depend on input length, hence overly long input may take too long to hash. Other than that, and general limits on request size, there is no good reason. On the other hand, since the hashes are usually fixed-length, you also don’t gain anything by using overly long passwords.

AquiGorkaOP2y ago

> Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters.

Ahh, I was not aware of this limitation, thank you for clarifying. If I sign up for a service that does not allow up to 72 chars does it mean their hashing algorithm is of lower quality?

layer82y ago

I don't think such an inference can be made.

mtmail2y ago

If the hashing takes too long (e.g. 5-10 seconds) the website also risks a denial of service attack.

layer82y ago

Yes, though if you do both client-side and server-side hashing (which might be a good idea [0]), then the server only receives the fixed-size client hash.

[0] https://security.stackexchange.com/a/100517

rolph2y ago

i found this interesting:

Password length best practices --What is the standard for maximum password length?

Your passwords have to get quite long before you run into any limitations in the Windows world: the maximum length of a password supported by Active Directory is 256 characters. The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI).

127 is probably quite impractical for a user to type, but might be good for admin accounts where passwords are checked out and copied and pasted from a password vault. Service account passwords that are almost never typed and possibly rarely changed (if ever) could stand to be longer still.

https://specopssoft.com/blog/password-length-best-practices/

zzo38computer2y ago

Length limits can help to avoid long processing time perhaps, so you should set a limit, but the limit should be long, maybe more than 100 bytes.

spelufo2y ago

varchar (100) ?

gymbeaux2y ago

Yeah I would assume it’s the max length of the column in whatever database they’re storing the hashed password

j / k navigate · click thread line to collapse

9 comments

layer82y ago

AquiGorkaOP2y ago

> Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters.

Ahh, I was not aware of this limitation, thank you for clarifying. If I sign up for a service that does not allow up to 72 chars does it mean their hashing algorithm is of lower quality?

layer82y ago

I don't think such an inference can be made.

mtmail2y ago

If the hashing takes too long (e.g. 5-10 seconds) the website also risks a denial of service attack.

layer82y ago

Yes, though if you do both client-side and server-side hashing (which might be a good idea [0]), then the server only receives the fixed-size client hash.

[0] https://security.stackexchange.com/a/100517

rolph2y ago

i found this interesting:

Password length best practices --What is the standard for maximum password length?

https://specopssoft.com/blog/password-length-best-practices/

zzo38computer2y ago

Length limits can help to avoid long processing time perhaps, so you should set a limit, but the limit should be long, maybe more than 100 bytes.

spelufo2y ago

varchar (100) ?

gymbeaux2y ago

Yeah I would assume it’s the max length of the column in whatever database they’re storing the hashed password

j / k navigate · click thread line to collapse