114
submitted 4 days ago by [email protected] to c/[email protected]

It's infuriating to create a "strong password" with letters, numbers, upper and lowercase, symbols, and non-repeating text... but it has to be only 8 to 16 characters long.

That's not a "strong" password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I'm talking government websites, not just forums. It seems crazy to me.

you are viewing a single comment's thread
view the rest of the comments
[-] [email protected] 15 points 4 days ago* (last edited 4 days ago)

No, there is no valid reason to limit web passwords to lengths as short as 8 or 16 characters. If someone has built such a system with a technical limit that short, then what they have built is (from a security perspective) garbage.

Thankfully, NIST finally dropped their terrible password guidelines of the past in favor of sensible ones. Perhaps this will lead to fewer bad decisions being made in web development circles.

A few relevant sections:

https://pages.nist.gov/800-63-4/sp800-63b.html#usability-considerations-by-authenticator-type

https://pages.nist.gov/800-63-4/sp800-63b.html#length

https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

Obligatory xkcd:

https://xkcd.com/936/

(To be clear, this comic's approach to passphrases is sound advice.)

[-] [email protected] 1 points 3 days ago

Yeah, I usually limit passwords to 256 characters, because that's way longer than anyone needs and still short enough to not worry about overloading something.

[-] [email protected] 3 points 3 days ago

What are you worried about overloading?

[-] [email protected] 2 points 3 days ago

Mostly DOS attacks with ridiculously large payloads.

[-] [email protected] 1 points 3 days ago
[-] [email protected] 2 points 3 days ago* (last edited 3 days ago)

Hashing takes up cpu time

Oh my goodness.

I am very skeptical of this reasoning. If hashing of 256-character passphrases, or even 2560-character passphrases, consumes enough CPU time to risk overloading your system, then I think your are in an infinitesimal niche worthy of a detailed write-up.

If you're worried about that load, just wait until you learn about key derivation functions.

[-] [email protected] 2 points 2 days ago

So you were questioning a password limit of 256 chars.
Let's say we do not impose a limit because we're not worried about anything. We now get hit by a botnet trying to create accounts or login in thousands at the same time.

Say we're using Argon2id. This is obviously subjective to hw and parameters, but let's say 8k characters take 5 seconds of (1) cpu time on your server.
Now multiply this by 1000 attempts a second, and all your hardware does is calculate hashes.

The input limit of Argon2 specifically is much, much higher than that at 2^32-1 bytes, at which point you might as well just take it offline yourself.

If hashing of 256-character passphrases, or even 2560-character passphrases

If we impose no limit, why would the attacker limit themselves to 2560 chars?

[-] [email protected] 1 points 3 days ago

Probably so they don't get fired for implementing a DoS vector

this post was submitted on 30 May 2025
114 points (98.3% liked)

privacy

4345 readers
1 users here now

Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.

Partners:

founded 3 years ago
MODERATORS