Specifying an arbitary maximum length to a users password

17 Sep 2012 - 09:00 UTC.

In an age where we encourage users to have secure passwords that are unique to each site they are using. It irritates me when major companies or sites insist on rules for passwords that don't allow for complexity in passwords. A major UK telecommunication's provider has a requirement that passwords must be no longer than 15 characters. One domain registrar went through a period of insisting passwords were exactly 8 characters in length!

This is pure idiocy and a lack of respect for security, users should be allowed to have passwords that are extremely complex, and not even the ability for them to not just be a single word. If a user desires, they should be able to use a passphrase or random string that is of a great length. Considering the storage capabilities of systems these days, designing a system that allows hashes to be 1024 or 2048 in length isn't hard.

You can even design a system where the user has an indefinite length of input. Once this has been hashed you merely need to trim that input down to the required size for your storage system. This does mean some loss, but playing the percentage game, means it's even harder to recover the original string from the hash.

Once you've committed to a 1024\2048 length hash, any users password that is too short to fill that could have predefined garbage added to the end of the input to take the hash up to that length, and make it harder to discern the length of the original input.

Security is important, and having ridiculously lax requirements that prevent a user from being as secure as they wish with their data should be of cause for concern for any business, especially when they are multi-million £ organisations.



There are no comments.

Posting Comments is disabled.