What technical reasons are there to have low maximum password lengths?

Question

I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care about their security.

I understand most people will pick short passwords like "password" and "123456" but are there technical reasons to force this? Using an application like 1Password, almost all my passwords are something like fx9@#^L;UyC4@mE3<P]uzt or other randomly generated long strings of unlikely to guess things.

• Are there specific reasons why websites enforce strict bounds on password lengths (more like 8 or 10, I understand why 100000000 might be a problem...)?

Answer 1

Take five chimpanzees. Put them in a big cage. Suspend some bananas from the roof of the cage. Provide the chimpanzees with a stepladder. BUT also add a proximity detector to the bananas, so that when a chimp goes near the banana, water hoses are triggered and the whole cage is thoroughly soaked.

Soon, the chimps learn that the bananas and the stepladder are best ignored.

Now, remove one chimp, and replace it with a fresh one. That chimp knows nothing of the hoses. He sees the banana, notices the stepladder, and because he is a smart primate, he envisions himself stepping on the stepladder to reach the bananas. He then deftly grabs the stepladder... and the four other chimps spring on him and beat him squarely. He soon learns to ignore the stepladder.

Then, remove another chimp and replace it with a fresh one. The scenario occurs again; when he grabs the stepladder, he gets mauled by the four other chimps -- yes, including the previous "fresh" chimp. He has integrated the notion of "thou shallt not touch the stepladder".

Iterate. After some operations, you have five chimps who are ready to punch any chimp who would dare touch the stepladder -- and none of them knows why.

---

Originally, some developer, somewhere, was working on an old Unix system from the previous century, which used the old DES-based "crypt", actually a password hashing function derived from the DES block cipher. In that hashing function, only the first eight characters of the password are used (and only the low 7 bits of each character, as well). Subsequent characters are ignored. That's the banana.

The Internet is full of chimpanzees.

Answer 2

These restrictions are often put in place for various reasons:

• Interaction with legacy systems that do not support long passwords.
• Convention (i.e. "we've always done it that way")
• Simple naivety or ignorance.

As far as security goes, there is no need to limit password lengths. They should be hashed anyway, using a key derivation function (KDF) such as bcrypt. To help with performance, it might be worth placing a very large limit (e.g. 512 characters) on the password length, to prevent someone sending you a 1MB password and DoS'ing your server for 10 seconds whilst it computes the hash.

Answer 3

1. If they store it in plaintext or encrypted plaintext, then that's probably the maximum value that can be stored in the DB. On the other hand one should get as far as possible from these sites
2. To avoid DOS attacks. This is usually if they have a very high limit, like 512 or 1024 bytes
3. To comply with regulations that are actually made by people not knowing anything about IT security
4. For legacy reasons, as Tom Leek has pointed out

Btw. here is a (historical) list of high ranking sites having maximum password lengths:

http://web.archive.org/web/20130907182806/https://defuse.ca/password-policy-hall-of-shame.htm

Answer 4

I asked this question at Bol.com, one of the biggest webshops in the Netherlands. Their response was to prevent being flooded with support emails about forgotten passwords. They then curiously ignored my inquiry about the password reset feature which just emails you a reset link when you have forgotten your password.

I've concluded that it's most likely a decision from the management team. Alternatively it might be that they don't hash passwords and use this to prevent their database from being flooded (even though you can have a longer username, so this seems unlikely). They also did not respond to a question about whether they hash passwords (you'd think if everything is alright there would be no reason not to reply).

Answer 5

I would cite an attempt to reduce customer service related issues.

The larger and more complex passwords are, the higher the likelihood for the customer to enter an invalid password, get locked out and then contact customer service tying up that individual's time.

It is amazing how many people are unable to accurately type a normal weak password, let alone a password that is a few characters longer or had to have an extra character or 2 injected for complexity.

Possibly OT but, lengthy passwords are not necessarily a guaranteed true security measure since passwords are straight-out stolen on a fairly common basis nowadays.

Failed login attempts and Tracking geo-distance from normal login usage is far more accurate metric. if an IP belonging to a known high hacking/attack profile country logs into an American bank and that login has never been used from that location before.....

A lot of high profile places such as SF/banks generally have a very low failed login attempts count with resulting system-wide lockdowns. Some such as SF go as far as doing individual IP allocation, which means you can't log in from a new IP address without authorizing it.

Answer 6

"Interaction with legacy systems that do not support long passwords." as mentioned above is the reason for one company I worked at to enforce a maximum password length.

As a variation on the trope "a group moves as fast as its slowest member" the use of multiple systems which all users had to have access to using the same login credentials meant that any restriction by one of those systems would then have to be applied to all accounts.

So if one application a didn't like ^ then all passwords for all systems couldn't have a ^. If one program didn't like passwords > 8 chars then all accounts had to have passwords < 9 chars. So in a complex environment like BigCo where I worked this might involve a dozen or two dozen different pieces of software; the LCD was what everyone got.

They used IE6 as well.

Answer 7

A password length limit is reasonable as long as that limit still allows for strong passphrases; e.g., the limit isn't less than 64 characters. A loud limit when setting the password is significantly better than silently truncating the password.

If the application ultimately stores the password with 128 bit (hopefully salted and key-stretched) hash, there's no gain in allowing passwords longer than ~64 characters. E.g., with a diceware passphrase with 5 character words with spaces between them, a 64 character passphrase allows 10 words which would have an entropy of more than 128 bits.

A developer potentially could be worried about SQL injection or buffer overflow attacks injected via the password field -- granted you should use the standard methods to prevent these attacks: always use bound parameters with SQL (versus string manipulation to construct queries) and always properly bounds check your strings (possibly by using a safe programming languages or safe libraries with built in protections). You need to be worried about these attacks on all user input; this is not unique to the password field so the protection gained by a maximum password size is likely negligible.

There could be tangential reasons for limits as well. A bank that gives users ATM cards with a PIN (personal identification number) may choose to force users to use PINs between 4-10 digits in length. Allowing a user to set and use a 50 digit PIN likely would have little security gain in practice over say a 8 digit PIN - when an attacker needs both a user's ATM card (that hasn't been called in as stolen), use a monitored ATM, and gets locked out after 4 wrong attempts. A 50 digit PIN, could be more expensive in human costs for your bank, as it would be forgotten/input incorrectly more frequently - maybe trigger an employee to investigate (e.g., check the ATM video and compare with previous successful transactions) or have an employee walk the customer through some necessarily lengthy password reset mechanism (e.g., the reset mechanism has to be costly so it is not the weakest link). This whole process could lead to poor customer user experience which the bank wants to avoid.

Answer 8

Another possibility I'd like to address that hasn't already is that passwords are sometimes limited by the length of the field that is used to save them, when saved in plain-text. If your field is a VARCHAR(32), then you can save 32 characters at most.

However, this means something even worse - that the password is saved in plain-text. This is why we accept these sorts of offenses as (lightweight) evidence at plaintextoffenders.com.

Answer 9

As others have already noted, the big reason that comes up for 8 characters or less is dealing with older systems that don't support anything longer than that.

Then there is the general good idea of placing some upper bound on what is reasonable. Lets say that is 500 characters. It wouldn't be unreasonable to think anyone providing more than 500 characters for a password might be up to no good.

But even if you are using a currently recommended password hashing system there are still limits. Bcrypt, which is widely used and from what I can tell generally considered a good/strong option for hashing passwords, only deals with the first 72 characters. Anything beyond 72 characters is thrown away. If my password is 100 characters long and yours is 150, if they start with the same 72 characters bcrypt will consider them the same.

Given that specific limit in bcrypt, if you are using bcrypt you may want to enforce a 72 character limit to make sure that all unique passwords are actually considered unique by your authentication system.

Answer 10

Many sites think it is not needed to have long password since there is brute-force protection (like limiting number of login attempts per IP), which makes very little difference to have long vs short passwords, in both cases it would take years to try all possible combinations.

The one recomndation would be to use random characters (!@#$%^&*-_=+/\'") a long with a-z A-Z 0-9.

Answer 11

I'd say there are three main reasons:

1. Legacy systems not supporting special characters
2. The desire to keep support overhead down, and use of the system up, by keeping users' passwords actually rememberable. In other words, if you let users make and use paswords they can't remember, they will, and as a result they'll either annoy you about it or stop using the site due to the hassle
3. Developers not wanting to have to worry about parsing special characters from untrusted users, which could potentially be dangerous

In the past the top reason was probably the lack of ability to support the passwords (#1), and today it's probably the lack of desire to support them--mostly from #2, but partially from #3.

Answer 12

Jet another reason is UI design and overall user experience: It's not obvious to many users what is going on when the visible length of the input field is reached as each character is shown as a star or big dot. This can confuse users and cause negative emotions (less likely to buy something, to come back or to recommend the site to a friend). Technical solutions are possible but it is just easier to limit the length, e.g. to 20 characters, so that the cursor never reaches the end of the input field.

Answer 13

With additional restrictions (generally, only numbers accepted), it can also be motivated by the fact it allows (or may allow, if some day the need would arise) entering the password through some interface with limited capacities...

That's why many banks have set such restrictions for web access passwords, to allow access through legacy systems which only have numerical keypads (ATMs, phones...)

Answer 14

All bank sites I know have a pin like system that locks your account after 3 failed password attempts. This means that long passwords would be counterproductive because they are easier to mistype or forget, especially because you can't see them (and if you could see them security would be even worse).

If you take eg. a pin system for smartphones where you type in 4 numbers, the chances of guessing it right within 3 tries is 0.03%. With 8 digits, the chances of guessing it right (if the sequence is randomly generated and not chosen stupidly) become so small, that if you would try to guess 7 billion peoples passwords, you would only on average guess 209 peoples passwords right. If characters and/or special characters are allowed the chances of guessing get even smaller, multiplied by a factor of 1^-4 or 1^-6 respectively.

Even if users are allowed to choose passwords and would choose them in a semi-predictive manner, within 3 tries it's impossible to crack any particular account and your average wouldn't improve too much, even if you would have a lot of data, like all birthdays in a family and the names of everyone in the family and every friend of the person. And you are also unlikely to have a reliable and comprehensive list of that kind for a large population.