[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
There is absolutely no reason to have such low limits on password length. Most password hashes use fixed length storage so the only resource cost is the network traffic and small variation in CPU. Best practice currently for storage is scrypt, which has 256 bit derived key, so there is no obvious practical benefit to exceeding 256 bits of entropy in the input password. But passwords below these lengths are arguably suboptimal. Although they may suffice for this Universe, due to expected heat death, limited computing resource etc. Back of the envelope thus says that benefits of longer drops to zero at about ~43 randomly generated printable ASCII characters, or ~72 character English passphrase in lowercase. (Feel free to use bigger character sets if you can). Although some folk might use longer hashes than scrypt. I guess some folk may have a password system with less entropy per character than lower case English words, so they might benefit from longer than 72 characters, but perhaps that is trying too hard to compensate for stupid. So I'm not going to complain if someone limits it to 100 characters for practical reasons (e.g. to prevent resource consumption hashing insanely long passwords). Of course no one is going to be remembering such passwords, so complaints about users forgetting long passwords are moot. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq