On Thu, Apr 28, 2011 at 11:08 AM, Eric Wald <[email protected]> wrote: > On Tue, Apr 26, Nicholas Leippe wrote: >> Passwords are not infinite in length. I have never once found a system >> that allows me to choose a password of arbitrary length. Every one I >> have encountered has a hard upper limit on the length, usually 16-20, >> some (including some banks--shudder!) as short as 8. > > They're starting to be more common, because the hashed form is always > the same length. Most of my passwords these days are 39 characters > long, where allowed. Ironically, the places it isn't allowed are > usually sites that store my financial information... > > I see no reason for password length restriction to be less than 127 > characters. However, allowing a full megabyte would probably be > excessive. Is there a best-practices limit? 1K, perhaps? >
Well, sure, but for all practical purposes 99.999% of the population are not going to type in a long paragraph for their password--they have enough trouble typing a short password in correctly every time. It's just too inconvenient to do so. I think a short sentence 20-40 chars would be easy to remember, convenient enough to type (if they are decent typists), and much stronger than a hard-to-remember sequence of 8-12 random chars, but there are so many systems that still have short limits. There's still plenty of systems that don't allow spaces. One of my accounts a while back changed their password method--they emailed me saying that to "increase security" they had stripped all non-alphanumerics out of my password! That is disturbing on many levels. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
