我应该对密码施加最大长度吗? [英] Should I impose a maximum length on passwords?

问题描述

我可以理解对密码施加最小长度很有意义(以保护用户免受其害)，但我的银行要求密码长度在 6 到 8 个字符之间，并且我开始怀疑...

• 这不会让蛮力攻击更容易吗?(坏)
• 这是否意味着我的密码未加密存储?(坏)

如果有人(希望)有一些优秀的 IT 安全专业人员为他们工作，他们正在强加最大密码长度，我是否应该考虑做类似的事情?这有什么优点/缺点?

解决方案

密码被散列为 32、40、128，无论长度如何.最小长度的唯一原因是防止容易猜到密码.没有最大长度的目的.

强制性的

I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...

• Wouldn't this just make it easier for brute force attacks? (Bad)
• Does this imply that my password is being stored unencrypted? (Bad)

If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?

解决方案

Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.

The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:

这篇关于我应该对密码施加最大长度吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！