Password Maximum Length

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Password Maximum Length

Post by Benjamin »

When your running md5 on a password before you save it to the database, is their any point at all to check the content of the password, or it's maximum length?

Take the following for example..

Code: Select all

$password = md5($_POST['password']);
$password is now just a 32 character string. The real password could be anything, of any length.

So, I am assuming that checking to make sure the password is less than X characters is pointless.

Am I correct?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

no, it is not pointless. Reasons why is to do a sanity check on how potentially strong the password is. The longer the password is, the more secure it potentially becomes. Checking for it having w lowercase, x uppercase, y numbers, and z symbols would add more security checking of the password.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I'm sorry, I meant that besides checking the minimum length and the content for strength, there isn't any reason to limit the length or disallow any specific characters.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There's no reason to have a maximum length, only a minimum.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Ok cool just checking.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

~astions. MD5 works on binary strings and ascii strings so the password could be anything really. Disallowing characters just means your users have less chance of picking a strong password.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Yeah I know, I just wanted to make sure there weren't any issues with it being like 4000 characters or something. This makes me wonder why yahoo, hotmail and almost every large web site limits the length of your password :?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

The length could be quite large. The only limitations would be on the web servers setting for maximum post data size.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Hehe, a 42kb password. But yes, I take the view that filtering password input is unnecessary.
User avatar
kbrown3074
Forum Contributor
Posts: 119
Joined: Thu Jul 20, 2006 1:36 pm

Post by kbrown3074 »

Ok..since I havent used it..what exactly is md5()? I could search on it..but too lazy 8O
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It's a hash function. :roll: <- that means search
Post Reply