cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Email Password Policies are Absurd...

Email Password Length... Control Panel Max is 32 Characters, Webmail form says 25 characters, and pop3? Won't let you login if it's somewhere north of 20 characters. Limiting password length, or limiting the acceptable characters is meaningless in terms of a properly hashed and salted password database. The only reason I can imagine for it is the notion that it somehow reduces support costs by reducing password recovery requests. But with all the support calls over email issues right now I bet it doesn't feel like much of a savings....
3 REPLIES 3
Retired
Not applicable

Hi,

There are approximately 95 possible characters to chose from for each password character. That's 95 to the power of 25. That's a huge number, 95x95x95............25 times!

I'm pretty sure a decent password can be made from this.

Retired
Not applicable

Even with some characters being not allowed and only alpha numerical that's still a huge number.

That's not the point. If you hash 5 characters or 50 characters you'll get the same hash length to store. Also, retroactively changing the pop3 server to only accept passwords shorter than what is allowed on the website is probably the source of a lot of peoples email problems. Though it's possible the problem lies with their implementation and not strictly speaking a cap on it's length. The result is effectively the same though.