negative zero

Specify the Maximum Password Length

2019 April 4

[opinion] [rant] [security] [tech]

Many services have password length maxima, and unfortunately, many of these are very short lengths. I previously discussed the value of using a password manager, as well as how to create strong, memorable passphrases. Unfortunately, these tools for creating strong passwords are often subverted by password policies requiring short passwords, again I stress, often without informing the user. Let's explore.

Suppose you want to sign up for a service and use a strong, memorable passphrase. As I said before, the strength of a password is a function of complexity and length. So you can string a few words together to make a long passphrase that will be strong.

But if the password policy of the service you're trying to use doesn't allow you to make your password that long, I'm afraid you're out of luck. Better revert back to those old password rules we all know and hate. You'll probably make your password as simple as you can, so you can remember it. (Of course, in this situation, you should use a password manager to generate a complex password that is as long as you're allowed.)

So let's speak to using password managers. Your password manager enables you to generate random (complex) passwords, while simultaneously relieving you of the burden of remembering them. So you should make a random password as long as you are allowed.

The problem is, many services don't tell you what that maximum length is. So you're left with the burden of guessing. For me, this involves playing a fun game where I keep decreasing the length of my password until it's accepted. I start with 128 characters[1], then try 100, then 99, then 72, then 64, 50, 40, 32, 24, 20, 16... You might be thinking to yourself, 128 characters is excessive, and perhaps you're right. But what's the harm if I don't have to remember it myself?

Well, it turns out the harm is that sometimes these systems are not designed to properly inform the user when their password is too long. Instead, they allow the user to submit their password, then seem to truncate it or do some similar operation. As a consequence, I have many times used a very long password to register for a service, only to instantly be unable to access my account and forced to reset my password because I don't know which substring of my password they used.

One way to approach this would be to always select a short password to ensure I don't run into this problem, but that would be intentionally reducing my security. The onus should not be on me as the user to figure out the limitations of the system; it should be on the designer of the interface the consumer uses to specify to the consumer the parameters under which they may create their password. Users should not have to go through this trial-and-error process of gradually weakening their passwords, or reducing the strength of their passwords across the board to accommodate some services which require poor security.

In conclusion, services which require passwords should explicitly specify their entire policies for creating passwords, not just the minimum requirements, at the time of sign-up to their users. This will enable users to use well-formed strategies for password creation instead of defaulting to the weakest-allowed passwords.