Overview#
Password Maximum Length is a typical parameter of a Password Policy specifically the Password Modification Policy that deals with Password QualityPassword Maximum Length is a Password Anti-PatternPassword Maximum Length may also be used at the Policy Enforcement Point during a Password Change or Password Reset.
Password Maximum Length AttributeTypes#
National Institute of Standards and Technology NIST's view:[1]#
Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in lengthNo reasonable person is going to use a website with a 64-character password limit then turn around and say "this site's security is crap because they didn't let me use more than 64 characters in my password". But just to be sure, make it 100. Or 200. Or stick with NIST's thinking and make it 256, it doesn't matter because it's going to hash down to the same number of characters anyway.
NIST also makes another important if not obvious point when it comes to password length: Truncation of the secret SHALL NOT be performed
This is really the simplest of concepts: don't have a short arbitrary password length and don't chop characters off the end of a password provided by a user. At the very least, an organizational Entity defending this position should say "we know it's bad, there's legacy reasons, we'll put it on the road map to be rectified".
More Information#
There might be more information for this subject on one of the following:- [#1] - Passwords Evolved: Authentication Guidance for the Modern Era
- based on information obtained 2017-07-26-