Question:
Why do web sites enforce a maximum length for passwords?
1970-01-01 00:00:00 UTC
Why do web sites enforce a maximum length for passwords?
Nine answers:
Infinite Luta
2008-03-05 17:27:54 UTC
Your guess is as good as mine on this one.



If I had to guess, I'd say it's bad programing practice and inexperience at work. I can't see any other good, logical reasons why passwords should have such a low maximum length. Whoever was responsible for setting up the user database and web site probably didn't have password security as a priority.
lotsofish
2008-03-05 16:59:04 UTC
I think you will find a lot of "storing plaintext to a database field" code out there. Why they limit to 8 characters? Well, I guess it's just a nice round number huh? It's not good coding practice, but likely something they copy and pasted from a forum or something.



It's a good reason to have different passwords for different accounts. Never reuse important passwords like ones for banking sites on a "fun" site.
Denon W
2008-03-05 16:53:44 UTC
I think the other answerers have mis-read you question. You say why does they impose a 'MAXIMUM' length.



This is a good question, looking at http://www.ratliff.net/blog/index.php/2007/09/20/password-length/ it seems most passwords can be much longer than 8 characters
Jake H
2008-03-05 16:49:22 UTC
wait you said maximumlol sorry,



maybe they dont want long password to take up there space. If you have hundreds of password than a few extra characters can make a big difference. 6-8, its still secure enough and it doesnt take up alot of there disc space.



maybe, who knows, they could just be like OCD about it lol
mi deng
2008-03-05 16:49:44 UTC
Its doesn't really matter how its stored. A shorter password is always easier to crack than a longer one.
Rick Rejeleene
2008-03-05 16:49:07 UTC
Because to protect ur account and ours too....

they are doing good...thing...and if u have password less than 6 characters...many people can guess it with ur hint...
steven25t
2008-03-05 16:51:23 UTC
that would depends on encryption, usually longer password is harder to guess.



those with 6-8 characters have to do with what encryprion site uses. 64-bit 128-bits, or 256
2008-03-05 16:50:37 UTC
oh well, they are just trying to protect your e-mail address from hackers
tnlacey
2008-03-05 09:52:53 UTC
The reason is most likely to prevent buffer overflow attacks. Consider this: nearly every virus ever written has used a buffer overflow exploit to gain access to a system or server. To prevent these attacks, programmers enforce maximum lengths on buffers (in this case, your password field).



A buffer overflow exploit works like this:

1) Program is written expecting, but not enforcing, a maximum length for a string.

2) Malicious user inputs a string longer than that expected, so his string copies OVER ("clobbers") legitimate data. In stack-based languages (most languages like C/C++/Java that use function calls), the object is to write a string long enough to over-write the return address, sending the program to begin executing in the middle of his string instead of where the previous function left off. The trick is that the user did not just type ANY string--oh no... he typed a very carefully formulated string that would be interpreted by the language as executable code.

3) User's "code" string is executed, giving him control of the system.



That is why text fields and buffers have length restrictions. Normally, buffers will just be truncated, chopping off all the excess characters, but you can understand that that would be unacceptable for passwords, for they are memorized and must be stored exactly as each user expects.



Why such a short maximum length? Who knows. 8 is as good a number as any, and it is VERY certain that there must be a size limit somewhere.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Continue reading on narkive:
Loading...