Should I impose a maximum length on passwords?

by

Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

The obligatory XKCD explaining why you’re doing your user a disservice if you impose a max length:

The obligatory XKCD

More Related Contents:

  1. Difference between Hashing a Password and Encrypting it
  2. SHA512 vs. Blowfish and Bcrypt [closed]
  3. Encrypting/Hashing plain text passwords in database [closed]
  4. What algorithm should I use to hash passwords into my database? [duplicate]
  5. Fundamental difference between Hashing and Encryption algorithms
  6. Disable browser ‘Save Password’ functionality
  7. Salt Generation and open source software
  8. Is “double hashing” a password less secure than just hashing it once?
  9. Two-way encryption: I need to store passwords that can be retrieved
  10. Why is security through obscurity a bad idea? [closed]
  11. Are HTTPS headers encrypted?
  12. The necessity of hiding the salt for a hash
  13. Preferred Method of Storing Passwords In Database
  14. Password hashing, salt and storage of hashed values
  15. Why is using a Non-Random IV with CBC Mode a vulnerability?
  16. Best Practices: Salting & peppering passwords?
  17. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  18. Differences Between Rijndael and AES
  19. How to send password securely over HTTP?
  20. Moving old passwords to new hashing algorithm?
  21. Best way for a ‘forgot password’ implementation? [closed]
  22. Is it worth encrypting email addresses in the database?
  23. Why not use MD5 for password hashing?
  24. MD5 security is fine? [closed]
  25. What’s wrong with XOR encryption?
  26. Do I need a “random salt” once per password or only once per database?
  27. What is token-based authentication?
  28. What is the easiest way to encrypt a password when I save it to the registry?
  29. What encryption algorithm is best for encrypting cookies?
  30. How are the IV and authentication tag handled for “AES/GCM/NoPadding”?

Leave a Comment