Tuesday, February 6, 2018

Minimum Password Lengths

Troy Hunt:

When I run my Hack Yourself First workshop, that’s one of the first questions I ask - “what’s the correct minimum password length?” I was thinking about that again just this weekend when preparing V2 of Pwned Passwords because I thought I might be able to use a minimum length threshold to reduce the size of the data set. So, rather than projecting my own views on minimum password length, I thought I’d go and check what the world’s top sites are doing. Here’s 15 of the biggest with a summary and some further commentary after that[…]


The point of all this is that you can no longer just look at a minimum length and say “ah, 6 characters - or even just 4 - is way too few” because authentication schemes can be far more intelligent than simply matching those 2 strings. That’s not to say those nice round, even numbers are always correct either - there are plenty of sites that don’t have any intelligence beyond mere string matching - but hopefully it provides food for thought.

Safari actually knows about the requirements for some top sites (via Hacker News). Or maybe this feature hasn’t shipped yet, since I could only find the referenced file in Safari Technology Preview:

/Safari Technology Preview.app/Contents/Frameworks/SafariShared.framework/Versions/A/Resources/WBSAutoFillQuirks.plist

2 Comments RSS · Twitter

The same data is at /System/Library/PrivateFrameworks/SafariShared.framework/Resources/WBSPasswordGenerationRequirementsByDomain.plist in existing versions of Safari.

Leave a Comment