Use a max length password.... or not?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

JimWilliamson

Well-known member
Nov 15, 2020
60
26
Which is more secure - to use the maximum length password a system will allow, or use a slightly shorter length password?

When using a password manager, it becomes trivial to use passwords that match the maximum length a system will allow. But, if that became practice, would that "known length" password be harder or easier to crack than using a password of slightly less than maximum length - say a random few characters shorter than maximum length? If max length became the norm - hackers would target that length only (or first).

Thoughts?
 

Coffee

Member
Jan 14, 2023
10
2
If the max password length allowed is short, using every character (bit of entropy) permitted is essential. If the max password length is large, it won't matter if they guess that you're using that many characters because it will take them an eternity to brute strength attack.

For expedience and the quickest returns, I expect the typical hacker to go for the low-hanging fruit first. That would bias their attacks on the shorter range of password lengths.
 
Last edited:

PHolder

Well-known member
Sep 16, 2020
997
2
443
Ontario, Canada
If we're talking 15+ characters, I presume you're using a password manager (or writing them in a book, the analog password manager.) In this case you should be making your password truly random. There is no opportunity for password cracking when your password is 25+ characters, and there probably never will be, no matter the advances in technology. So based on that fact, it probably doesn't matter either way, but length will always make it take [much] longer to theoretically attack. (The attack might go from 10x the age of the universe to 1000x though.)