5
SPie
7y

Sites requiring a maximum password length, does it mean they store the passwords in clear text?
Or what would be a plausible explanation for this stupid requirement?

Comments
  • 1
    While there's certainly no guarantee that having a maximum password length implies storing it in cleartext, I can't help it: either they just put an arbitrary constraint there for no reason at all or there's an actual constraint there in the password field in the database. Either way, I automatically assume they don't have a clue what they're doing. Maybe it's not the case, but I can't help trusting them less because of that.

    I mean, having a maximum input length to prevent the user from pasting the whole Bram Stoker's Dracula in there is one thing, limiting passwords to 16 characters for no good reason is another.
  • 2
    @Jilano maybe I don't understand it right, but if a hash would be used for passwords, the length would be kind of fixed, or not?

    And I cannot imagine any reason why I should limit the password, other than I want to limit the password db column size.
  • 3
    @Jilano most professional services store hashed and salted passwords, in a hash algorithm the output length stays constant therefore a size restriction on the actual DB field makes no sense.

    @SPie unless of course they are storing the plain text password as is or they are encrypting the password, not hashing it, in which case the output size could vary. Either case represents a security risk.

    Unless there's any other secondary technical issue (i.e memory overflows), passwords shouldn't have a length limit.
  • 1
    @JKyll i guess a very big limit would make sense, like 256 chars, and a salted hash of that size, so you kind of know the security of the hash
Add Comment