Why websites have password length limits, if they’re hashed anyway?
In: 16
Websites do this for a few reasons.
* Arbitrarily large passwords are hard to test.
If you allow thousands of characters in a password, then at some point you may run into issues. If you’re properly testing your software, you should at least test edge cases like “the largest possible password” to see if they actually work. You can’t do that if you don’t have *some* limit.
Some systems do the hash on the server side, to protect against broken clientside code, because it was easier, or because they just decided to design it that way. In this case, you not only need to know that your software can handles long passwords, but you need every step along the way to work too. Firewalls, network hardware, other software….
You also need to be consistent. Some sites have gotten burned in the past because the password change page allowed you to set a password longer than the login page would accept. Users could lock themselves out of their accounts by accident this way. (This happened to Paypal at one point).
Defining a limit allows you to test that limit.
* One of the cardinal rules is *do not truncate user passwords*.
By not setting a limit, you may end up doing this by accident. Perhaps some part of the chain truncates strings by default, and you don’t realize it. This could make a user’s password substantially less secure, and with no feedback to them at all. Instead, a password field should accept a very long password and give the user feedback that it’s too long and allow them to fix it. Again, this goes back to testing.
* Arbitrarily long passwords can allow DoS attacks.
Hashing algorithms take longer to process longer inputs. If your system doesn’t set some limit, then maybe someone uploads a multiple gigabyte text file as their “password” to lock down one of your server processes.
Because this can be mitigated with rate limiting, it’s probably a secondary concern.
———————–
Ultimately the problem with many sites is not that they set a limit on long passwords, but that the limit is *too low*. A 100 character password should be possible on just about any system in use today. There’s no excuse for sites choosing to set a limit much lower than this. Yet we sometimes see banks setting a limit to 8 characters or something absurdly low.
Why websites have password length limits, if they’re hashed anyway?
In: 16
Websites do this for a few reasons.
* Arbitrarily large passwords are hard to test.
If you allow thousands of characters in a password, then at some point you may run into issues. If you’re properly testing your software, you should at least test edge cases like “the largest possible password” to see if they actually work. You can’t do that if you don’t have *some* limit.
Some systems do the hash on the server side, to protect against broken clientside code, because it was easier, or because they just decided to design it that way. In this case, you not only need to know that your software can handles long passwords, but you need every step along the way to work too. Firewalls, network hardware, other software….
You also need to be consistent. Some sites have gotten burned in the past because the password change page allowed you to set a password longer than the login page would accept. Users could lock themselves out of their accounts by accident this way. (This happened to Paypal at one point).
Defining a limit allows you to test that limit.
* One of the cardinal rules is *do not truncate user passwords*.
By not setting a limit, you may end up doing this by accident. Perhaps some part of the chain truncates strings by default, and you don’t realize it. This could make a user’s password substantially less secure, and with no feedback to them at all. Instead, a password field should accept a very long password and give the user feedback that it’s too long and allow them to fix it. Again, this goes back to testing.
* Arbitrarily long passwords can allow DoS attacks.
Hashing algorithms take longer to process longer inputs. If your system doesn’t set some limit, then maybe someone uploads a multiple gigabyte text file as their “password” to lock down one of your server processes.
Because this can be mitigated with rate limiting, it’s probably a secondary concern.
———————–
Ultimately the problem with many sites is not that they set a limit on long passwords, but that the limit is *too low*. A 100 character password should be possible on just about any system in use today. There’s no excuse for sites choosing to set a limit much lower than this. Yet we sometimes see banks setting a limit to 8 characters or something absurdly low.
Latest Answers