Password length best practices
--What is the standard for maximum password length?
Your passwords have to get quite long before you run into any limitations in the Windows world: the maximum length of a password supported by Active Directory is 256 characters. The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI).
127 is probably quite impractical for a user to type, but might be good for admin accounts where passwords are checked out and copied and pasted from a password vault. Service account passwords that are almost never typed and possibly rarely changed (if ever) could stand to be longer still.
Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters. The speed of password hashing (which is deliberately designed to be slow to impede brute-force attacks) might also significantly depend on input length, hence overly long input may take too long to hash. Other than that, and general limits on request size, there is no good reason. On the other hand, since the hashes are usually fixed-length, you also don’t gain anything by using overly long passwords.
Yes, though if you do both client-side and server-side hashing (which might be a good idea [0]), then the server only receives the fixed-size client hash.
> Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters.
Ahh, I was not aware of this limitation, thank you for clarifying. If I sign up for a service that does not allow up to 72 chars does it mean their hashing algorithm is of lower quality?
