Breaking Barriers: Empowering Your Login System with Long Password Support

Strong passwords are necessary for securing user accounts and protecting sensitive data. As a frequent user of authentication systems and principal engineer for a single sign-on solution, I appreciate the necessity of delivering seamless user experience while emphasizing security. In this article, I’ll go over the advantages of long passwords, the obstacles for service providers of supporting them, and how to effectively implement them in your login system.

The Importance of Password Security #

The Rise of Long Passwords #

Passwords serve as the first line of defense in securing user accounts. Longer passwords provide a higher degree of complexity and entropy, making it exponentially more challenging for hackers to crack them. Allowing users and especially their password manager to go wild when creating a unique password for your login system helps to keep their online accounts safe from unauthorized access. Not restricting passwords to an artificially fixed length ensures that your users’ accounts remain more secure.

In a world where data breaches and identity theft are all too common, supporting creation of secure passwords is not just a luxury, but an essential measure to protect the digital lives and assets of users worldwide. The necessity of supporting strong passwords cannot be overstated in an era where cyber threats are rapidly evolving and becoming increasingly sophisticated. By implementing maximum length support, businesses and developers demonstrate their commitment to safeguarding user data, fostering trust, and promoting customer loyalty.

Password Maximum Length Limitations #

Common Password Max Length Limits #

Password max length limits have long been a source of contention, as they frequently place unnecessary constraints on users, knowingly undermining the overall security of their accounts. Many systems have historically imposed an arbitrary maximum length, such as 6, 8, 12, or 16 characters, under the erroneous assumption that shorter passwords are easier to remember and manage.

These restrictions however, only limit users’ ability to form strong, secure passwords, rendering them more vulnerable to brute force attacks and other hacking attempts. It is overdue for developers and businesses to abandon these antiquated methods and embrace the need for lengthier password limits, allowing users to better control their digital security and secure their precious data.

Maximum Password Length: Why do Length Limits Exist? #

Length restrictions occur mostly as a result of historical and technological constraints, as well as erroneous worries about usability. Because storage and processing resources were rather limited in the early days of computers, developers implemented password length constraints to conserve resources and assure optimal system operation. However, as technology and our understanding of cybersecurity have grown, it has become increasingly evident that these length constraints are ineffective and dangerous. In today’s digital landscape, we must reconsider the justification for these length constraints and favor robust security measures above outmoded norms.

The Consequences of Short Password Limits #

Short password constraints can have far-reaching and negative repercussions, as they essentially compromise the security and integrity of users’ digital accounts. Systems unwittingly encourage users to choose weak, readily guessable passwords by enforcing an artificial upper limit, making them attractive targets for cybercriminals. When using short passwords, dictionary attacks, and other common hacking techniques become substantially more effective, increasing the likelihood of unauthorized access, data breach, and identity theft. The consequences of these security flaws can be disastrous for both individuals and businesses, resulting in financial losses, reputational damage, and erosion of user trust. Finally, by adhering to obsolete short password constraints, we are maintaining a cybersecurity culture of complacency and putting our digital lives at risk.

The Benefits of Long Passwords #

Secure Password: Enhanced Security Through Entropy #

Password entropy assesses a password’s randomness and predictability, taking into account the length of the password, its character set, and overall complexity. We build stronger, more secure passwords that are significantly more resistant to hacking attempts by boosting password entropy. High-entropy passwords are less vulnerable to a brute force attack, dictionary attacks, and other typical cybercriminal techniques, creating a formidable barrier to illegal access. As a cornerstone of cybersecurity, we must prioritize the fight for low password predictability.

Resistance to Brute-force Attacks #

Brute-force resistance is an essential aspect of maintaining strong digital security. A classical brute-force attack by cybercriminals attempts to guess a user’s password methodically through trial and error, relying on brute computational power. Credential stuffing and password spraying are two more modern manifestations, that leverage de-hashed credentials from historic data breaches or statistical information on common passwords.

Long, unique passwords are the best security against such assaults since they exponentially increase the number of possible combinations, making it substantially more time-consuming and resource-intensive for attackers to succeed. We develop a powerful line of defense that deters hackers and protects our precious data by embracing password best practices and encouraging users to always use different passwords everywhere.

Encouraging the Use of Password Managers #

Encouraging the use of a password manager is an important step towards boosting digital security and promoting good password usage. A password vault not only securely stores and manages users’ credentials, but also helps to generate long and unique passwords for each account. They relieve users of the burden of creating and remembering high-entropy passwords while dramatically minimizing the risk of illicit access and data breaches.

A good password manager also makes the user experience less stressful, reducing the temptation to reuse weak passwords or utilize insecure storing methods. We must advocate for using a password manager and recognize the importance they play in safeguarding our digital lives, one secure password at a time. Users should avoid using one master password across various services.

How to Support Long Passwords in Your Login System #

Supporting long passwords can present some technical challenges depending on the technologies you already use, particularly when it comes to storage needs and processing times for hashing passwords.

Updating Your Database and Storage #

Adapting to Longer Password Storage #

The first step in supporting long passwords is to allow for a greater number of characters in your credentials database. This can be as simple as updating the password length constraints in your code and database schema.

State-of-the-art hashing algorithms, such as Argon2id, scrypt and bcrypt, generate encoded hash outputs of variable sizes, ranging from 128 to 512 bits or more, depending on the algorithm and setup settings.

The Importance of Secure Hashing #

It is crucial to store passwords in a way that prevents an attacker from obtaining them even if the application or database itself is compromised or breached. To securely store long passwords, use a strong hashing algorithm such as Argon2 or scrypt. These algorithms have been designed to accommodate greater password lengths, but also they are slow and resource-intensive, making offline brute-force attempts more difficult.

According to the Open Worldwide Application Security Project (OWASP), you should make sure to use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism or scrypt with a minimum CPU/ memory cost parameter of (2^17), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.

Bcrypt, another extensively used hashing method, has technical constraints that limit passwords to 72 bytes, which is likely insufficient if you wish to allow your users to utilize long unicode passwords.

Transitioning Existing User Data #

Transitioning existing password hashes to a newer, more secure hashing algorithm is an important part of maintaining a strong security posture. As earlier hashing methods become more vulnerable to attacks, it is critical to migrate to modern and resilient algorithms like Argon2. One successful method for achieving this change is to adopt a gradual, seamless process that causes minimal disturbance to users. Using a dual-hash technique, computers can store both the old and new hashes at the same time during the transition period.

When users log in, their passwords are checked against the legacy hash, and if they pass, the new hashing algorithm is applied to same password, and kept alongside the old password hash. As more people log in, the system gradually transitions to the new, more secure hashing mechanism. This technique not only improves security but also indicates a dedication to safeguarding users’ data.

Implementing Front-end Changes #

Adapting User Interface Elements #

To enable increased password max length, designers and developers must prioritize user-friendliness and intuitiveness when accommodating longer passwords within the interface. This involves at least expanding password fields.

If you intend to expand the maximum password length and plan to allow the longest password to have 100 characters, each password field in your sign-up and sign-in experiences should accept at least 101 characters. If a user or their password generator provides a 120-character password, your form can actually notify the user that they have entered too many characters and should input fewer. Otherwise, systems may truncate passwords by accident, which must be avoided!

Enabling Client-side Input Validation #

Client-side password validation is a convenience feature that assists users in creating strong passwords by providing instant feedback (and a security warning in some cases) on the password’s compliance with the password strength policy. Furthermore, this proactive approach reduces server load, as fewer invalid password attempts are sent to the server for processing.

Encouraging Strong Password Practices #

Include a good password strength meter into your login form that gives users real-time feedback as they create their passwords. Especially in combination with a user-friendly password strength policy, visual indicators can be used to encourages users to create long, complicated passwords and educates them on the necessity of strong password security.

Password Manager Support #

Users can use password managers to create and maintain multiple passwords of maximum lengths without having to remember them. By integrating password manager support into your login system, you improve the user experience by enabling seamless autofill capabilities and decreasing the pressure on users to memorize randomly generated credentials.

Back-end Considerations #

Implementing Server-side Password Validation #

Enabling backend-side password input validation is crucial for maintaining a secure and reliable login system since it acts as a last line of defense against incorrect or malicious input. While client-side validation provides rapid feedback and improves user experience, it can also expose systems to security vulnerabilities because it can be bypassed or manipulated by determined attackers. Backend validation guarantees that password inputs comply with defined security policies and requirements, effectively blocking any unauthorized or non-compliant attempts that may have slipped through client-side checks. Businesses and developers establish a multi-layered approach to password security by including both client-side and backend-side validation based on the same rules.

Ensuring Backward Compatibility #

Backward compatibility is critical when adjusting password length limits for businesses and developers looking to improve their login systems without impacting user experience. As systems evolve to support longer, more secure passwords, it is critical to preserve compatibility with old user credentials while avoiding unnecessary friction for users. One useful method is to provide a grace period during which users can continue to use their current passwords while being gently reminded to update them to match the new, stricter requirements. This can be accomplished via in-app notifications, email reminders, or the password reset process.

Long Password Denial of Service #

Password max length constraints can be quite problematic, and there are numerous complaints about overly short password limits all over the internet. Maximum password lengths, on the other hand, are also a wonderful thing to have. Denial of service (DoS) attacks on password hashing for example is a real security risk: By sending a overly long password of e.g. 1.000.000 characters it’s possible to cause severe CPU and memory exhaustion, consequentially resulting in a denial of service attack on the server.

An explicit maximum password length helps furthermore with testing all of your password input fields as well as middleware and with assuring consistency throughout distributed system landscapes. Every strong password strength policy should include an explicit maximum length!

Testing & Monitoring Your Updated System #

After adjusting password length limits, testing and monitoring a login system is an essential component of ensuring a smooth transition and maintaining optimal security standards. As businesses and developers adjust their systems to allow longer, more complicated passwords, it is critical to do extensive testing to evaluate the modified system’s performance, usability, and security. Unit tests, integration tests, and stress tests are all performed to detect potential vulnerabilities, bottlenecks, and opportunities for improvement. Once the system is in place, continual monitoring is required to detect and address any unanticipated issues, track user adoption of the new minimum password length regulations, and assure the security measures’ ongoing efficacy.

Best Practices for Long Password Support #

Adopting a Balanced Password Policy #

A well-balanced password policy encourages users to compose strong, unique passwords by establishing adequate minimum length, complexity, and character diversity criteria that are not unduly restrictive or difficult. This includes criteria such as minimum length and max password length, screening for compromised credentials, and refusing commonly used passwords. Businesses and developers can encourage the use of secure credentials while reducing user frustration and the temptation to use weak, readily guessable passwords by creating an environment in which users can easily adhere to password best practices. Finally, in an increasingly security-conscious digital environment, a balanced password strategy is critical for preserving sensitive information and promoting user confidence.

Regularly Reviewing & Updating Security Measures #

In the constantly evolving field of digital security, where new threats and vulnerabilities arise on a regular basis, assessing and updating security measures is a must. Periodic audits and reviews of existing security measures, such as password policies, hashing algorithms, and encryption techniques, ensure that the login system is up-to-date and resilient to attacks. Businesses can fine-tune their security approach by incorporating input from these evaluations, resolving any flaws and capitalizing on possibilities for improvement.

Staying Informed About New Threats & Trends #

Proactive monitoring of the most recent security trends, research, and best practices enables businesses and developers to stay ahead of potential threats and maintain a strong security posture. While account take-overs through credential stuffing or password spraying are considered a modern security epidemic, also authentication practices are currently transitioning into a new era:

One common trend is to balance security and friction by leveraging passwordless step-up authentication concepts.Another fresh approach are Passkeys that are based on FIDO standards and allow probably the most secure passwordless sign-in experience that ever existed. After Apple started supporting passkeys natively, also Google recently introduced passkeys for Google Accounts and said “So long passwords, thanks for all the phish”.

Make sure to stay informed about offensive threats as well as defensive trends and ensure that you follow industry best practices!

Creating a Security-centric Culture

Learn how to make security the norm rather than the exception in your organisation. Join Troy Hunt and his Pluralsight course: Security-centric Culture.

Note: As a paid Pluralsight influencer, I earn from referring.

Summary #

Secure password support in your login system is a critical step in securing user accounts and protecting sensitive data. Allowing for larger password lengths, employing a secure hashing algorithm, utilizing password managers, and including password strength validators all help users establish strong, secure passwords. Furthermore, testing and optimization, as well as user education, play an essential role in maintaining a strong login system. To provide a seamless and safe user experience, remember to strike a balance between security and usability.

Frequently Asked Questions (FAQs) #

• What is the ideal password length? – The ideal password length is a point of discussion among security experts, however there is universal agreement that longer passwords provide a higher level of protection. To provide proper security, a password should be at least 12-16 characters long. It is crucial to note that as computational power grows, the optimum password length may need to be altered in the future to keep up with evolving threats.
• How do I manage long passwords without forgetting them? – Using a password manager is one of the most reliable and handy options. You can also use mnemonic techniques to construct memorable yet strong passwords. For example, you can create a passphrase by mixing the initial letter of each word of a memorable statement with numbers and unique characters. It is critical to avoid using the same password for several accounts!
• Are there any drawbacks to using long passwords? – Despite theoretical difficulties in terms of memorability and user-friendliness, the advantages of employing long passwords in terms of improved password security exceed the drawbacks. Backwards compatibility and processing time challenges are no longer viable issues for modern systems.
• Is there any security risk in not setting a maximum password length? – An attacker could submit a non-reasonable amount of random characters to the login system if there is no maximum limit, resulting in increased processing time and resource consumption during hashing. Repeated attempts with exceptionally long passwords can result in a DoS attack, which overloads the server and reduces its availability to genuine users.

Written by Jan Brennenstuhl

Jan Brennenstuhl is a Principal Software Engineer, balancing security with friction for users. He helped building an IAM team and spent years in engineering single sign-on (SSO) solutions based on OIDC.