The online community for software testing & quality assurance professionals
 
 
Calendar   Today's Topics
Sponsors:




Lost Password?

Home
BetaSoft
Blogs
Jobs
Training
News
Links
Downloads



Miscellaneous Forums >> General Discussion

Pages: 1 | 2 | >> (show all)
Gaurang_Shah
Advanced Member


Reged: 02/11/08
Posts: 558
Loc: Ahmedabad, India
Ideal password length.
      #590406 - 09/10/09 10:38 PM

Hi folks,

I am not sure I should ask this here or not. But would give me any suggestion about what should be the minimum and maximum password length. ???

--------------------
GauranG Shah
I don't make the software, Rather I make it better.
My Blogs:
All About Automation
Spell Checker


Post Extras: Print Post   Remind Me!   Notify Moderator  
TnkerBell
Active Member


Reged: 09/01/08
Posts: 1051
Loc: Neverland
Re: Ideal password length. [Re: Gaurang_Shah]
      #590410 - 09/10/09 11:37 PM

It depends on the application right? Like, if you create a password with only 4 characters then you might get a pop up [validation] saying that your password must be more than 6 characters. In this case the minimum password length must be 6.

--------------------
Regards,
Tinker

"The most wasted of all days is one without laughter."
-e e cummings


Post Extras: Print Post   Remind Me!   Notify Moderator  
Gaurang_Shah
Advanced Member


Reged: 02/11/08
Posts: 558
Loc: Ahmedabad, India
Re: Ideal password length. [Re: TnkerBell]
      #590420 - 09/11/09 12:46 AM

I guess i fail to make u understand..

i just want to know what should be the minimum and maximum password length.

see I can design the application such that it allows the user to set either blank password. or as long as 256 characters long. But that won't be a good idea. because blank password is not good from security point of view and there should be any limit for the maximum characters you can user for password.

I just want to know what would be the idea thing ?

--------------------
GauranG Shah
I don't make the software, Rather I make it better.
My Blogs:
All About Automation
Spell Checker


Post Extras: Print Post   Remind Me!   Notify Moderator  
stoofer
Member


Reged: 08/11/08
Posts: 250
Re: Ideal password length. [Re: Gaurang_Shah]
      #590424 - 09/11/09 01:14 AM

I think Smokin failed to make you understand - it's context dependant.

Is it a screensaver? Is a screensaver a security risk if it has a blank password? Only in some environments? Well what is the environment?

How secure does it need to be?

And isn't this really a design/BA issue? Can you go ask them?


Post Extras: Print Post   Remind Me!   Notify Moderator  
WhoCares
Member


Reged: 09/05/06
Posts: 68
Loc: Vadodara, India
Re: Ideal password length. [Re: stoofer]
      #590434 - 09/11/09 02:00 AM

Gaurang,

Give and take six characters is something ordinary user would be able to remember and will prefer to have. Any more characters to it becomes kind of burden to remember. On higher side I would say eight characters.

Thx


Post Extras: Print Post   Remind Me!   Notify Moderator  
stoofer
Member


Reged: 08/11/08
Posts: 250
Re: Ideal password length. [Re: WhoCares]
      #590447 - 09/11/09 02:40 AM

Quote:

Gaurang,

Give and take six characters is something ordinary user would be able to remember and will prefer to have. Any more characters to it becomes kind of burden to remember. On higher side I would say eight characters.

Thx




How did you come to such a figure? Would you come to the same figure if it was your classified military web mail password or a field allowing just your gaming clan access to a forum to discuss Left 4 Dead?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe Strazzere
Moderator


Reged: 05/15/00
Posts: 12344
Loc: Massachusetts, USA
Re: Ideal password length. [Re: stoofer]
      #590477 - 09/11/09 04:43 AM

Gaurang,

Clearly it depends on the application's needs for security.

There's a pretty good discussion of the considerations, and some suggestions for length of passwords here:
http://en.wikipedia.org/wiki/Password_strength

--------------------
- Joe
Visit AllThingsQuality.com to learn more about quality, testing, and QA!

I speak only for me. I do not speak for my employer, nor for anyone else.


Post Extras: Print Post   Remind Me!   Notify Moderator  
darkage
Advanced Member


Reged: 04/02/05
Posts: 557
Loc: Hong Kong
Re: Ideal password length. [Re: Joe Strazzere]
      #590693 - 09/14/09 01:48 AM

Gurang,

I don't think there are any standards for teh length of a password. As most of the people said, it is context driven. That is, depends on your / application's requirements. At some place, a 4 char all digit password may work, at some, a lengthy alphanumeric with specials may be required.

All that depends on what kind of application it is and what are the security requirements.

OWASP mentions certain parameters for password length.


Post Extras: Print Post   Remind Me!   Notify Moderator  
TnkerBell
Active Member


Reged: 09/01/08
Posts: 1051
Loc: Neverland
Re: Ideal password length. [Re: Gaurang_Shah]
      #590700 - 09/14/09 02:16 AM

Quote:

I guess i fail to make u understand..

i just want to know what should be the minimum and maximum password length.

I just want to know what would be the idea thing ?




Six characters would be an ideal minimum length. 12 should be an ideal max. length for a password.

A blank password is a strict no-no

--------------------
Regards,
Tinker

"The most wasted of all days is one without laughter."
-e e cummings


Post Extras: Print Post   Remind Me!   Notify Moderator  
stoofer
Member


Reged: 08/11/08
Posts: 250
Re: Ideal password length. [Re: TnkerBell]
      #590712 - 09/14/09 03:34 AM

Quote:

Six characters would be an ideal minimum length. 12 should be an ideal max. length for a password.

A blank password is a strict no-no




You can't state this without context. Perhaps I want a system that allows blank passwords - minimum security but with an option for more protection. Perhaps I have access to the big red Nuke button behind my password - you can be sure I want it to be longer than 12 characters, and reject words, partial words and demand special characters.

Without context, it's an impossible question.

Tell me, what size trousers should I buy?


Post Extras: Print Post   Remind Me!   Notify Moderator  
JakeBrake
Moderator


Reged: 12/19/00
Posts: 15290
Loc: St. Louis - Year 2025
Re: Ideal password length. [Re: TnkerBell]
      #590728 - 09/14/09 05:03 AM

Quote:

Tinker: Six characters would be an ideal minimum length. 12 should be an ideal max. length for a password.




I disagree. So does Darkage. So do others. Darkage posted this just above your response. You might find it worth a read.

"Ideal" is not determined by one's opinion. "Ideal" is driven by need, even though when "need" has been stated in requirements - it has always been shortsighted.


Post Extras: Print Post   Remind Me!   Notify Moderator  
WhoCares
Member


Reged: 09/05/06
Posts: 68
Loc: Vadodara, India
Re: Ideal password length. [Re: JakeBrake]
      #590740 - 09/14/09 05:41 AM

Hi Stoofer,

Suggested length of password was based on "Normal human" and not the one who is testing top secret military project or nuke buttons as you have said. Ask yourself a question or run inventory of your personal password I am sure they would exceed total length more than your complete name


Post Extras: Print Post   Remind Me!   Notify Moderator  
stoofer
Member


Reged: 08/11/08
Posts: 250
Re: Ideal password length. [Re: WhoCares]
      #590741 - 09/14/09 05:59 AM

Quote:

Ask yourself a question or run inventory of your personal password I am sure they would exceed total length more than your complete name




Could you please clarify what you mean by this sentence, as I cannot understand it?


Post Extras: Print Post   Remind Me!   Notify Moderator  
JakeBrake
Moderator


Reged: 12/19/00
Posts: 15290
Loc: St. Louis - Year 2025
Re: Ideal password length. [Re: stoofer]
      #590769 - 09/14/09 07:33 AM

About two years ago in China there was a couple who wanted to name their son @. I guess WhoCares is saying this kid's password length would be greater than one character for nuke buttons???

Post Extras: Print Post   Remind Me!   Notify Moderator  
brentpaine
Veteran


Reged: 03/09/07
Posts: 3755
Loc: Waterloo, Ontario, Canada
Re: Ideal password length. [Re: JakeBrake]
      #590782 - 09/14/09 07:54 AM

I actually have a 42-character password. Unlike many, who use passwords like their parents' middle names, or spouses' maiden name, I use pass phrases in order to ensure my security. Well, not at qaforums, but anywhere that I want to pretect something important or keep my wife out, I'll use it

--------------------
Brent
--------------------
9 out of 10 people I prove wrong agree that I'm right. The other person is my wife.
--------------------


Post Extras: Print Post   Remind Me!   Notify Moderator  
stoofer
Member


Reged: 08/11/08
Posts: 250
Re: Ideal password length. [Re: JakeBrake]
      #590805 - 09/14/09 08:29 AM

Quote:

About two years ago in China there was a couple who wanted to name their son @. I guess WhoCares is saying this kid's password length would be greater than one character for nuke buttons???




Well that's what I thought, but WhoCares also stated 6-8 characters for a password so I got confused

My typical passwords for anything important are 20+ characters. If I used an e-commerce site that retained my payment information and it limited me to 8 characters, I'd be extremely concerned.


Post Extras: Print Post   Remind Me!   Notify Moderator  
JakeBrake
Moderator


Reged: 12/19/00
Posts: 15290
Loc: St. Louis - Year 2025
Re: Ideal password length. [Re: stoofer]
      #590885 - 09/14/09 12:15 PM

Then again, it is more important that the encryption method is robust. You can have a password hundreds of chars in length. If some idiot decided to use ROT13 or ROTn to encrypt, a password could be cracked in milliseconds.

Post Extras: Print Post   Remind Me!   Notify Moderator  
Fire_Tornado
Newbie


Reged: 02/15/07
Posts: 6
Re: Ideal password length. [Re: JakeBrake]
      #590887 - 09/14/09 12:38 PM

Based on what you're developing the app for maybe this page would be useful.

http://www.unifiedcompliance.com/matrices/live/00520.html

It has the different codes that people use for developing their password "rules". You can then Google the specific code that you find interesting and see what it says. Some places require minimum of 8 characters, with at least one special character, one upper case, one lower case, and one number. It just depends on what you're target audience is.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Walen
Super Member


Reged: 05/09/01
Posts: 1254
Re: Ideal password length. [Re: Fire_Tornado]
      #590894 - 09/14/09 01:29 PM

I find myself in complete agreement with Brent. The answer here is clearly 42.

--------------------
P. Walen

My Blog: http://rhythmoftesting.blogspot.com/


Post Extras: Print Post   Remind Me!   Notify Moderator  
WhoCares
Member


Reged: 09/05/06
Posts: 68
Loc: Vadodara, India
Re: Ideal password length. [Re: stoofer]
      #590925 - 09/14/09 09:35 PM

Could you please clarify what you mean by this sentence, as I cannot understand it?




I wanted to convey that your (personal) password would not exceed more than total characters in your name. But since you are into testing domain it seems that it actually exceeds. However considering ordinary person it becomes tedious to remember long passwords. Hope this clarifies


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | >> (show all)



Extra information
0 registered and 20 anonymous users are browsing this forum.

Moderator:  Rich W., AJ, blueinatl 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 6823

Rate this topic

Jump to

Contact Us | Privacy statement SQAForums

Powered by UBB.threads™ 6.5.5