I visited a website that requires me to create a password. One of the password rules was "7 to 15 letters". Is this a security risk, since many people would now enter a weak password instead? And is there any good reason to restrict a password to 15 letters (and not say 50, which would likely go unnoticed)?
Asked
Active
Viewed 44 times
1 Answers
0
No, it goes against password guidelines (e.g. NIST 800-63B Digital Security Guidelines), which say that maximum lenghth of passwords SHOULD be at least 64 characters.
Plus it is big red flag, because there is no reason to allow maximum of 15 characters other than storing passwords in plaintext (which is really bad).
-
Please see the few duplicates listed above. There are technical reasons for password lengths of 15, and it has nothing to do with plaintext. – schroeder Feb 15 '23 at 19:44
-
Legit limits like this are almost always due to the DB being "unchangeable" (a.k.a.: they couldn't afford a real DBA to deal with it). They are working with the limits of the system and found that passwords too large crashes the system. – Nelson Feb 16 '23 at 05:56