Share via


Passwords, Passphrases, and validation

In my old blog, I wrote about a post by one of my Microsoft colleagues recommending the use of passphrases rather than passwords for Windows security. One problem that I've run into with using passphrases (or long/complex passwords) is that some applications use validation that limits the length and/or complexity of passwords, or prevents the use of certain characters. Some examples:

- The blogging software I'm using right now rejected spaces in the username in an earlier build. Thankfully, this has been corrected.

- A bank web site that I use does not allow the use of special characters (such as _) in passwords.

All I can say about such limitations is DON'T DO IT!!!

Limiting the length and/or complexity of your users' passwords is a great way to make it more difficult for your users to be secure. If you must impose some limitations, make sure that you inform your users what those limitations are, and be absolutely sure that there is not any existing user data that does not fit those limitations. The last thing you want is to prevent a user with an existing account from logging in because your validation doesn't like their existing account credentials.

Personally, I think that it's more important to ensure that credentials are validated when they are added, rather than when the user logs in. It's important to ensure that credentials (particularly passwords) meet your requirements for length and complexity (i.e. - neither too short, nor too simple) before you allow the user to register. But if you validate credentials for length/complexity when logging in, you may inadvertently provide potential attackers with information that could help them to guess usernames and passwords. Perhaps not a huge risk, but worth considering nonetheless.

Comments

  • Anonymous
    August 03, 2004
    It has always blown my mind that many web sites limit the length of passwords to rediculously small lengths. 8 characters? Are you kidding me? And I'm not talking forum accounts on some script kiddy's web site. These are sites for major corporations that you would expect to have somewhat decent security.

    I actually ran into a problem with an account for a major cellphone company, whose name I will not mention (I feel like going outside for a SPRINT). While changing my password, I entered a new value which, unbeknownst to me, was longer than the allowed length. Of course there was no notice of the length restriction, and when I pressed submit, the server happily accepted the new value, truncating it to fit their length requirements. I received no message other than password changed. The next time I visited the site, I couldn't login.

    I switched carriers a month later. Can you hear me now?