How not to request a password

I will not mention the UK government site on which I have just encountered this, to protect the guilty:

Seriously? What is the point of only giving some of the requirements? banghead


Lol, right. And what is the rationale for limiting a password to 20 characters? (genuinely curious if someone knows the answer)


Or, indeed, limiting the available special characters?

1 Like

Usually because they stick the password into a fixed length varchar in the database. Mind you if they do their proper hashing and know the output length, shouldn’t be an issue either, but if they roll their own or don’t know the final length, they may just hack it off at a certain length. That is my guess.

And this because sometimes they are lazy and some special characters, if not properly handled, can lead to injections or inadequate pattern matching. I mean I can see parenthesis, semicolons, commas all being problematic. They are probably just saying “Hell with handling all that, these are all you get to use”.


Wait, which alphabet did you use? Latin, Greek, Hebrew? You have to use at least one!


There’s a thought - maybe I’ll try Greek next time they make me change my password. lol


A 20-character password is definitely not too long. However, a 20-character password can
provide you with good security. So, the 20 character password is a good length and is of
enough length.

1 Like

It is ‘enough’ length, perhaps. Is it a good idea to limit it? Not really.
Why 20 characters? Historical reasoning, perhaps.
An MD5 hash can produce 2^128 possible hashes.

It turns out that 94^19 (Why 94?

94 = alphaAlphaNum~!@#$%^&*()_-+={[}]|\:;"'<,>.?/

is smaller than 2^128, and 94^20 is larger than 2^128. So after 20 characters, MD5 hashes theoretically start becoming non-unique. (In actuality that’s probably not the case, but it was a mathematical certainty beyond that point.)

Now, the world (hopefully!) has moved on beyond MD5, but that’s probably the reason for 20 being the golden number by some websites standards.


these types of problems make my 1password subscription all the more worth it. Kidding aside, I used to work for a corporate security firm and we would monthly change passwords that met the requirements exactly. You’d be surprised at the sophistication of modern-day hacking software that can decode the most insconpicous passwords.

Surely proper hashing should deal with all of that too.
These reasons appear to point to not using proper hashing. :grimacing:

1 Like

You are certainly right. You would be surprised at what people are doing for password management. Some roll their own hash algorithm (yikes) and some insist on encryption rather than hashing. We are also assuming that people take in a password and immediately hash then do their comparisons. Some have to carry the password a long a bit to hash and sync with other systems etc.

One company I joined even had clear text passwords. It is a wild west out there with tons of insecurity. After what I have seen in my career, I am surprised there isn’t more breaches. :slight_smile:

1 Like