The Old Joel on Software Forum: Part 3 (of 5) - Usability: Fixed Length Passwords

Usability: Fixed Length Passwords

Argh! Why do places insist on fixed length passwords?

I'm signing up for an account right now which allows a 6-30 char username. And a 6-8 char password?!

I can't think of any memorable 6-8 char password. 10-15, easy. Why not allow 6-15? Or is this some bizarre security requirement, requiring a short password?

I might just use 'password', after all it's 8 chars.

mb
Monday, November 10, 2003

If you think that's bad, try using E*TRADE, where your password is limited to 6, non-case-sensitive, characters.

E-Trader
Monday, November 10, 2003

I believe the original password hashing algorithm on unix (crypt) only uses the first 8 chars of a string, so I think that's often why passwords were limited to 8 characters.

Matthew Lock
Monday, November 10, 2003

Whilst crypt() may or may not have been limited to eight characters, this is not the only source of the de-facto password size. It was eight characters in most IBM mainframe and mid-range systems, dating from periods equal to or earlier than crypt().

The earliest explanation I heard was that the human brain had a limited (reliable) capacity to remember sequences of characters, and that six-to-eight was the most that could reasonably be expected.

HeWhoMustBeConfused
Monday, November 10, 2003

Does it actually limit you to 8 characters? In other words, does a 9-char password generate an error message? It's possible that they mean "significant to 8 digits".

Matt Foley
Monday, November 10, 2003

A 9-character password doesn't generate an error. Any characters after the first 8 typically get ignored by crypt, so you wind up with an 8-character output based on the first 8 characters of the input.

Beth Linker
Monday, November 10, 2003

So if you set the password to 'antidisestablishmentarianism' you can login with just 'antidise'

A.T.
Monday, November 10, 2003

To create memorable but guess-resistant 6-8 character passwords:

Think of a song title, or phrase, and build passwords from that.

Actual passwords I have used (no longer in service):

bq54pc2 (Bloc Quebecois 54, Progressive Conservative 2, created on a system shortly after the memorable 1993 Canadian federal election. The numbers refer to the seats each party won in the House of Commons.)

lcro85%f (Latex condoms are only 85% effective)

ai1strb (All-in-one sucks the royal banana. Password used on a DEC VAX running All-In-One as the email system. WordPerfect was the text editor in which one composed messages.)

The funnier it is, the harder it is to forget.

David Jones
Monday, November 10, 2003

Even worse then fixed length passwords are passwords that have to fit a certain pattern.

The Mainframe passwords at a previous employer were 6 uppercase characters that had to fit the pattern CVCCVC (where C = Consonant , V = Vowel).

Since my group mainly used Unix (just had to enter hours on the Mainframe), we immediately wrote an awk script that found all the 6-letter and 3-letter words that matched this pattern.

While having this pattern stopped people from using 'AAAAAA' as their password, it really weakened the passwords to the point a simple recursive password checker would be able to guess passwords very quickly...

RocketJeff
Monday, November 10, 2003

DAvid's got the right idea. Have a mnemonic but make the password itself conform to all the upper case/lower case/alphanumerical rules.

Stephen Jones
Monday, November 10, 2003

exactly--i use patterns which are hard to guess but easy to remember.
the problem is that i have a hard time coming up with 6-8 character ones.
and often they return an error if you type more than 8 chars. i wouldn't mind the 'signifigant' chars, the front of the password could still be random looking but the entire pattern is longer, and remembering to just stop at 8 chars is difficult.

and who cares what IBM mainframes use, or what crypt() uses. they also had limits on account names, and somehow the companies have managed to extend that field.

oh well... at least its better than some accounts i've signed up for where they immediately email you the password.

mb
Monday, November 10, 2003

Most of my passwords generally either perverse or scatalogical with l33tisms and character scrambling used so that it doesn't actually resolve into proper words that can be dictionary-blasted.

Perverse or scatalogical passwords are easy to remember, as long as you don't need to share passwords. ;)

Flamebait Sr.
Monday, November 10, 2003

> The earliest explanation I heard was that the human brain had a limited (reliable) capacity to remember sequences of characters, and that six-to-eight was the most that could reasonably be expected.

The original study showed that humans could typically expect to accurately keep six to eight unrelated "things" in SHORT TERM memory at one time. A seven-digit phone number, for example, is pretty easy to keep in short-term memory, but it is quite difficult to keep two seven-digit phone numbers in short-term memory without some kind of "chunking" or other mnemonic device.

From this fact, countless bozos have made unwarranted assumptions about long-term memory and other tangentially related fields. The study was on short-term memory of unrelated, discrete items, but passwords require long-term memory of chunky, internally consistent items. The password "NowIsTheTimeForAllGoodMenToComeToTheAidOfTheParty123!@#" is pretty darn easy to remember long-term!

A typical human can remember the spellings of tens of thousands of long words for decades, so obviously the "seven is the magic number" study has absolutely no bearing on the question of optimal password length. And yet people continue to quote it! It's become part of our folk knowledge of psychology, along with canards like the inuit having fifty words for snow. Bizarre, isn't it?

Eric Lippert
Monday, November 10, 2003

This is more of a security problem than a usability one. It is really insane to have your attackers know that your passwords are restricted to a standard, limited length.

T. Norman
Tuesday, November 11, 2003

I use PasswordAgent from Moon Software.

http://www.moonsoftware.com/

It worked well for me.

Patterns Guy
Tuesday, November 11, 2003

AskTog.com has an interesting article on passwords, and how forcing a too-tough password on users compromises your original intent, security:
http://www.asktog.com/columns/026Security.html

and about Miller's law, which states that most people can remember 7 items, give or take 2 ( shorthand 7 (+/-) 2 ): http://www.asktog.com/columns/013SevenPlusOrMinus.html

anon
Wednesday, November 12, 2003