If the hacker thinks that 7 character passwords may be allowed, they might waste a considerable amount of time trying all 1-to-7 character combinations. If you tell them the minimum is 8 chars, they can save a lot of time by not trying those shorter passwords.
Also, if the minimum length is really long (>8 chars), the hacker might guess that most people will use a password of that minimum length, and might start trying words that are that length since people would be likely to choose something like that to meet the length requirement while still being memorable. However, if your app allows people to register online, the hacker can probably find out the minimum password length anyway, so validating for min password length on the login page for that kind of app would have little (i.e. hacker is not smart enough to try to register first to find out the minimum password length from the registration form) to no security consequences. -Max ----- Original Message ----- From: "Christoph Kutzinski" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, March 15, 2004 5:06 AM Subject: Re: SV: Form Validation > Joe Hertz wrote: > > > Check the Bugzilla. I believe it works in the <html:errors> tag, but you > > won't get a javascript popup. > > > > If memory serves, there's a security concern about using minlength in > > password fields -- basically the logic goes something like, "Do you really > > want to be providing a front end validation that tells a cracker how long his > > randomly guessed password attempts must be". > > What should be the problem with this? > You are only telling him, how long they must be AT LEAST. Nothing about > how long the can be at most. > If you would say, it can be dangerous to expose the maxlength of the > password to the user then I could understand it. Though lots of sites do > exactely this in reality, so it cannot be such a big security danger. > > greets, > Christoph > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
