{"id":20444,"date":"2018-02-06T16:41:11","date_gmt":"2018-02-06T21:41:11","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20444"},"modified":"2018-02-06T16:41:11","modified_gmt":"2018-02-06T21:41:11","slug":"minimum-password-lengths","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/02\/06\/minimum-password-lengths\/","title":{"rendered":"Minimum Password Lengths"},"content":{"rendered":"<p><a href=\"https:\/\/www.troyhunt.com\/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites\/\">Troy Hunt<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.troyhunt.com\/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites\/\"><p>When I run <a href=\"https:\/\/www.troyhunt.com\/workshops\/\">my Hack Yourself First workshop<\/a>, that&rsquo;s one of the first questions I ask - &ldquo;what&rsquo;s the correct minimum password length?&rdquo; I was thinking about that again just this weekend when preparing V2 of <a href=\"https:\/\/haveibeenpwned.com\/Passwords\">Pwned Passwords<\/a> because I thought I might be able to use a minimum length threshold to reduce the size of the data set. So, rather than projecting my own views on minimum password length, I thought I&rsquo;d go and check what the world&rsquo;s top sites are doing. Here&rsquo;s 15 of the biggest with a summary and some further commentary after that[&#8230;]<\/p><p>[&#8230;]<\/p><p>The point of all this is that you can no longer just look at a minimum length and say &ldquo;ah, 6 characters - or even just 4 - is way too few&rdquo; because authentication schemes <em>can be<\/em> far more intelligent than simply matching those 2 strings. That&rsquo;s not to say those nice round, even numbers are always correct either - there are plenty of sites that don&rsquo;t have any intelligence beyond mere string matching - but hopefully it provides food for thought.<\/p><\/blockquote>\n\n<p>Safari actually <a href=\"https:\/\/twitter.com\/_inside\/status\/959549503920660480\">knows about<\/a> the requirements for some top sites (via <a href=\"https:\/\/news.ycombinator.com\/item?id=16300214\">Hacker News<\/a>). Or maybe this feature hasn&rsquo;t shipped yet, since I could only find the referenced file in Safari Technology Preview:<\/p>\n\n<pre>\/Safari Technology Preview.app\/Contents\/Frameworks\/SafariShared.framework\/Versions\/A\/Resources\/WBSAutoFillQuirks.plist<\/pre>","protected":false},"excerpt":{"rendered":"<p>Troy Hunt: When I run my Hack Yourself First workshop, that&rsquo;s one of the first questions I ask - &ldquo;what&rsquo;s the correct minimum password length?&rdquo; I was thinking about that again just this weekend when preparing V2 of Pwned Passwords because I thought I might be able to use a minimum length threshold to reduce [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[30,1529,981,103,48,96],"class_list":["post-20444","post","type-post","status-publish","format-standard","hentry","tag-mac","tag-macos-10-13","tag-passwords","tag-safari","tag-security","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20444"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20444\/revisions"}],"predecessor-version":[{"id":20445,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20444\/revisions\/20445"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}