Rather than adopting a universal standard, many websites develop their own guide
ID: 661311 • Letter: R
Question
Rather than adopting a universal standard, many websites develop their own guidelines for how passwords should be constructed.
When you consider the number of passwords the average person today has to create and track, this creates problems for those who have a method for constructing and remembering passwords. For instance, some sites actually limit the length of your password to 12 or fewer characters! There are good reasons for enforcing a minimum length, but not to stop a person from using a longer passphrase. 50 characters would be a more reasonable upper limit.
I can understand that certain organizations like the government and the military might want to pursue guidelines that are more stringent than most websites need; however, wouldn't having some universal baseline be practical? Is some organization working to bring this about?
Explanation / Answer
There already is one produced by NIST. And there are good reasons to limit a maximum password length.
Also depending on what industry you are in, standards/requirements may already have been defined. For instance PCI-DSS or the Department of Defence. The problem here is that there are multiple standards, there is no single one.
Bounds have to be set, both upper as lower bounds. In case of passwords an example would be PBKDF2-HMAC-SHA1 (provided that users generate their passwords randomly) a commonly used password hashing algorithm. If the password exceeds 64 bytes in length it will be truncated to 20 bytes (by applyibg a SHA-1 hash to the password) as otherwise it would exceed the blocksize. Of course this is still a lot more than 12 characters, but if you initially plan to use a 70 byte long password it will be reduced to 20 bytes as otherwise the algorithm won't be able to work with the password.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.