Какая длина пароля обеспечивает адекватный для современных ос windows уровень защиты

Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

The obligatory XKCD explaining why you’re doing your user a disservice if you impose a max length:

A maximum length specified on a password field should be read as a SECURITY WARNING. Any sensible, security conscious user must assume the worst and expect that this site is storing your password literally (i.e. not hashed, as explained by epochwolf).

In that that is the case:

1. Avoid using this site like the plague if possible. They obviously know nothing about security.
2. If you truly must use the site, make sure your password is unique — unlike any password you use elsewhere.

If you are developing a site that accepts passwords, do not put a silly password limit, unless you want to get tarred with the same brush.

[Internally, of course your code may treat only the first 256/1024/2k/4k/(whatever) bytes as «significant», in order to avoid crunching on mammoth passwords.]

Allowing for completely unbounded password length has one major drawback if you accept the password from untrusted sources.

The sender could try to give you such a long password that it results in a denial of service for other people. For example, if the password is 1GB of data and you spend all your time accept it until you run out of memory. Now suppose this person sends you this password as many times as you are willing to accept. If you’re not careful about the other parameters involved this could lead to a DoS attack.

Setting the upper bound to something like 256 chars seems overly generous by today’s standards.

answered Sep 19, 2008 at 2:04

First, do not assume that banks have good IT security professionals working for them. Plenty don’t.

That said, maximum password length is worthless. It often requires users to create a new password (arguments about the value of using different passwords on every site aside for the moment), which increases the likelihood they will just write them down. It also greatly increases the susceptibility to attack, by any vector from brute force to social engineering.

answered Sep 19, 2008 at 1:55

Setting maximum password length less than 128 characters is now discouraged by OWASP Authentication Cheat Sheet

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Citing the whole paragraph:

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

Minimum length of the passwords should be enforced by the application.
Passwords shorter than 10 characters are considered to be weak ([1]).
While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters. Every character counts!!

Make sure that every character the user types in is actually included in the password. We’ve seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20).
This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.

One reason I can imagine for enforcing a maximum password length is if the frontend must interface with many legacy system backends, one of which itself enforces a maximum password length.

Another thinking process might be that if a user is forced to go with a short password they’re more likely to invent random gibberish than an easily guessed (by their friends/family) catch-phrase or nickname. This approach is of course only effective if the frontend enforces mixing numbers/letters and rejects passwords which have any dictionary words, including words written in l33t-speak.

answered Sep 19, 2008 at 2:23

One potentially valid reason to impose some maximum password length is that the process of hashing it (due to the use of a slow hashing function such as bcrypt) takes up too much time; something that could be abused in order to execute a DOS attack against the server.

Then again, servers should be configured to automatically drop request handlers that take too long. So I doubt this would be much of a problem.

answered Sep 7, 2012 at 21:09

Lucas OmanLucas Oman

15.4k2 gold badges44 silver badges45 bronze badges

answered Sep 19, 2008 at 2:02

Ignore the people saying not to validate long passwords. Owasp literally says that 128 chars should be enough. Just to give enough breath space you can give a bit more say 300, 250, 500 if you feel like it.

https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length

Password Length Longer passwords provide a greater combination of
characters and consequently make it more difficult for an attacker to
guess.

…

Maximum password length should not be set too low, as it will prevent
users from creating passphrases. Typical maximum length is 128
characters. Passphrases shorter than 20 characters are usually
considered weak if they only consist of lower case Latin characters.

answered Jun 17, 2018 at 9:18

My bank does this too. It used to allow any password, and I had a 20 character one. One day I changed it, and lo and behold it gave me a maximum of 8, and had cut out non-alphanumeric characters which were in my old password. Didn’t make any sense to me.

All the back-end systems at the bank worked before when I was using my 20 char password with non alpha-numerics, so legacy support can’t have been the reason. And even if it was, they should still allow you to have arbitrary passwords, and then make a hash that fits the requirements of the legacy systems. Better still, they should fix the legacy systems.

A smart card solution would not go well with me. I already have too many cards as it is… I don’t need another gimmick.

answered Sep 19, 2008 at 3:22

UserUser

3195 silver badges16 bronze badges

Marek PuchalskiMarek Puchalski

3,0021 gold badge25 silver badges34 bronze badges

Storage is cheap, why limit the password length. Even if you’re encrypting the password as opposed to just hashing it a 64 character string isn’t going to take much more than a 6 character string to encrypt.

Chances are the bank system is overlaying an older system so they were only able to allow a certain amount of space for the password.

answered Sep 19, 2008 at 1:51

Should there be a maximum length? This is a curious topic in IT in that, longer passwords are typically harder to remember, and therefore more likely to get written down (a BIG no-no for obvious reasons). Longer passwords also tend to get forgotten more, which while not necessarily a security risk, can lead to administrative hassles, lost productivity, etc. Admins who believe that these issues are pressing are likely to impose maximum lengths on passwords.

I personally believe on this specific issue, to each user their own. If you think you can remember a 40 character password, then all the more power to you!

Having said that though, passwords are fast becoming an outdated mode of security, Smart Cards and certificate authentication prove very difficult to impossible to brute force as you stated is an issue, and only a public key need be stored on the server end with the private key on your card/computer at all times.

answered Sep 19, 2008 at 1:59

benPearcebenPearce

37.3k14 gold badges64 silver badges96 bronze badges

Chris JChris J

30.3k6 gold badges68 silver badges109 bronze badges

dewddewd

4,3603 gold badges28 silver badges42 bronze badges

M KomaeiM Komaei

5,6352 gold badges19 silver badges29 bronze badges

answered Sep 19, 2008 at 2:05

answered Sep 22, 2008 at 8:24

Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

The obligatory XKCD explaining why you’re doing your user a disservice if you impose a max length:

A maximum length specified on a password field should be read as a SECURITY WARNING. Any sensible, security conscious user must assume the worst and expect that this site is storing your password literally (i.e. not hashed, as explained by epochwolf).

In that that is the case:

1. Avoid using this site like the plague if possible. They obviously know nothing about security.
2. If you truly must use the site, make sure your password is unique — unlike any password you use elsewhere.

If you are developing a site that accepts passwords, do not put a silly password limit, unless you want to get tarred with the same brush.

[Internally, of course your code may treat only the first 256/1024/2k/4k/(whatever) bytes as «significant», in order to avoid crunching on mammoth passwords.]

Allowing for completely unbounded password length has one major drawback if you accept the password from untrusted sources.

The sender could try to give you such a long password that it results in a denial of service for other people. For example, if the password is 1GB of data and you spend all your time accept it until you run out of memory. Now suppose this person sends you this password as many times as you are willing to accept. If you’re not careful about the other parameters involved this could lead to a DoS attack.

Setting the upper bound to something like 256 chars seems overly generous by today’s standards.

answered Sep 19, 2008 at 2:04

First, do not assume that banks have good IT security professionals working for them. Plenty don’t.

That said, maximum password length is worthless. It often requires users to create a new password (arguments about the value of using different passwords on every site aside for the moment), which increases the likelihood they will just write them down. It also greatly increases the susceptibility to attack, by any vector from brute force to social engineering.

answered Sep 19, 2008 at 1:55

Setting maximum password length less than 128 characters is now discouraged by OWASP Authentication Cheat Sheet

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Citing the whole paragraph:

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

Minimum length of the passwords should be enforced by the application.
Passwords shorter than 10 characters are considered to be weak ([1]).
While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters. Every character counts!!

Make sure that every character the user types in is actually included in the password. We’ve seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20).
This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.

One reason I can imagine for enforcing a maximum password length is if the frontend must interface with many legacy system backends, one of which itself enforces a maximum password length.

Another thinking process might be that if a user is forced to go with a short password they’re more likely to invent random gibberish than an easily guessed (by their friends/family) catch-phrase or nickname. This approach is of course only effective if the frontend enforces mixing numbers/letters and rejects passwords which have any dictionary words, including words written in l33t-speak.

answered Sep 19, 2008 at 2:23

One potentially valid reason to impose some maximum password length is that the process of hashing it (due to the use of a slow hashing function such as bcrypt) takes up too much time; something that could be abused in order to execute a DOS attack against the server.

Then again, servers should be configured to automatically drop request handlers that take too long. So I doubt this would be much of a problem.

answered Sep 7, 2012 at 21:09

Lucas OmanLucas Oman

15.4k2 gold badges44 silver badges45 bronze badges

answered Sep 19, 2008 at 2:02

Ignore the people saying not to validate long passwords. Owasp literally says that 128 chars should be enough. Just to give enough breath space you can give a bit more say 300, 250, 500 if you feel like it.

https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length

Password Length Longer passwords provide a greater combination of
characters and consequently make it more difficult for an attacker to
guess.

…

Maximum password length should not be set too low, as it will prevent
users from creating passphrases. Typical maximum length is 128
characters. Passphrases shorter than 20 characters are usually
considered weak if they only consist of lower case Latin characters.

answered Jun 17, 2018 at 9:18

My bank does this too. It used to allow any password, and I had a 20 character one. One day I changed it, and lo and behold it gave me a maximum of 8, and had cut out non-alphanumeric characters which were in my old password. Didn’t make any sense to me.

All the back-end systems at the bank worked before when I was using my 20 char password with non alpha-numerics, so legacy support can’t have been the reason. And even if it was, they should still allow you to have arbitrary passwords, and then make a hash that fits the requirements of the legacy systems. Better still, they should fix the legacy systems.

A smart card solution would not go well with me. I already have too many cards as it is… I don’t need another gimmick.

answered Sep 19, 2008 at 3:22

UserUser

3195 silver badges16 bronze badges

Marek PuchalskiMarek Puchalski

3,0021 gold badge25 silver badges34 bronze badges

Storage is cheap, why limit the password length. Even if you’re encrypting the password as opposed to just hashing it a 64 character string isn’t going to take much more than a 6 character string to encrypt.

Chances are the bank system is overlaying an older system so they were only able to allow a certain amount of space for the password.

answered Sep 19, 2008 at 1:51

Should there be a maximum length? This is a curious topic in IT in that, longer passwords are typically harder to remember, and therefore more likely to get written down (a BIG no-no for obvious reasons). Longer passwords also tend to get forgotten more, which while not necessarily a security risk, can lead to administrative hassles, lost productivity, etc. Admins who believe that these issues are pressing are likely to impose maximum lengths on passwords.

I personally believe on this specific issue, to each user their own. If you think you can remember a 40 character password, then all the more power to you!

Having said that though, passwords are fast becoming an outdated mode of security, Smart Cards and certificate authentication prove very difficult to impossible to brute force as you stated is an issue, and only a public key need be stored on the server end with the private key on your card/computer at all times.

answered Sep 19, 2008 at 1:59

benPearcebenPearce

37.3k14 gold badges64 silver badges96 bronze badges

Chris JChris J

30.3k6 gold badges68 silver badges109 bronze badges

dewddewd

4,3603 gold badges28 silver badges42 bronze badges

M KomaeiM Komaei

5,6352 gold badges19 silver badges29 bronze badges

answered Sep 19, 2008 at 2:05

answered Sep 22, 2008 at 8:24