0

Some websites state specific requirements for a password when you create an account. Some are understandable, but in particular the maximum password length doesn't make sense to me. Some websites restrict the password to no special characters, only numbers and letters, and the password has to be between 8-16 characters.

Doesn't that limit the entropy to a point where a really secure password is not even possible? If the attacker knows the requirements, wouldn't bruteforcing be way to easy if they acquire the database.

Also is there any technical limitation that would explain a maximum password length? I understand that for example bcrypt has a maximum of something like 72 characters, which seems fine to me. But for what reason would someone choose 16 as the maximum?

Does it maybe even indicate that the passwords aren't stored securely and teh password length is restricted so the website can save on database space?

Skrelp
  • 1
  • Possible duplicate of [What technical reasons are there to have low maximum password lengths?](https://security.stackexchange.com/questions/33470/what-technical-reasons-are-there-to-have-low-maximum-password-lengths), or [this](https://security.stackexchange.com/q/22884), or several others. – AndrolGenhald Feb 12 '19 at 19:00
  • 1
    For what it's worth, a fully random 16 character password of uppercase, lowercase, and digits would have over 95 bits of entropy, which is far _far_ better than most passwords. That doesn't mean the restriction is a good idea, but it's at least _possible_ to still have a very good password. – AndrolGenhald Feb 12 '19 at 19:04
  • Aren't "Doesn't that limit the entropy [too much for some applications]? Does it maybe even indicate that the passwords aren't stored securely" and "what are the technical reasons for limiting password length?" fundamentally different questions? @AndrolGenhald 's good comment/answer and the answers in the currently linked question don't seem to overlap at all. – Cody P Feb 12 '19 at 21:55
  • 1
    @CodyP There are different duplicates for each question, but I think they can all be answered fully by searching here. I found [this one](https://security.stackexchange.com/q/41698) for "does it indicate insecure storage" after I read the question again (it was past 5 minutes so I couldn't add it to my original comment). That's probably part of the reason why stackexchange encourages asking separate questions, much easier to point people towards good answers for those already asked, and separate them from new questions that need answered :) – AndrolGenhald Feb 12 '19 at 22:00

0 Answers0