security - Should I impose a maximum length on passwords?

Question

Welcome To Ask or Share your Answers For Others

security - Should I impose a maximum length on passwords?

posted Oct 17, 2021 in Technique[技术] by 深蓝 (71.8m points)

security - Should I impose a maximum length on passwords?

I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...

Wouldn't this just make it easier for brute force attacks? (Bad)
Does this imply that my password is being stored unencrypted? (Bad)

If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-17T00:08:49+0000

Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:

Categories

security - Should I impose a maximum length on passwords?

security - Should I impose a maximum length on passwords?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags