It occurred to me recently that by now, this limit must surely have been lifted, especially as Moore’s Law has improved hardware speeds and thus the ability to crack passwords of 8 characters easily via brute force.

(See Password Exhaustion: Predicting the End of Password Usefulness – PDF for more good info on this.)

So I asked about this over on Stack Overflow (SO), and got a lot of good responses. But in thinking about the answers more, and in particular trying to code something to find the maximum length on a given system, I had some more thoughts.

In particular, while the limit of 8 characters probably went away on most Linux systems in the late 1990s or early 2000s, there’s always a lingering question (in my mind anyway) of, “Yeah, but does this system I’m currently on support characters > 8 characters?”

Here’s what I coded up as a quick Perl script to try finding the maximum length of passwords for the system it’s run on:

#!/usr/bin/perl -w
$| = 1; # turn off output buffering so each . prints out
my($newpasswd) = chr(rand(95) + 32); # ASCII char 32-126
my($lasthash) = crypt($newpasswd, '$1$12345678'); # MD5=$1$
while (1) {
    print '.'; # for debugging/progress
    $newpasswd = join('', $newpasswd, chr(rand(95) + 32));
    $newhash = crypt($newpasswd, '$1$12345678');
    if ($newhash eq $lasthash) {
        print "Maximum password length: ";
        print length($newpasswd) - 1, "\n";
        last;
    }
}

(loosely based on some code posted in response to my question on SO)

After looking at this blog post on Password Length, I figured the program would stop at 79 or 127 or something, but to my surprise it didn’t, it just kept going on and on and on until eventually it was killed by my web host as a runaway program (which, I guess, it sort of was )

This puzzled me, and vexed me, so in my obsessiveness I wanted to find out why this would happen. I mean, that blog post said there was a limit, so why wasn’t I finding one?

It turns out that as long as you’re making the Unix crypt() function use a hashing method other than the classic/default DES-based algorithm, by using a salt prefix like $1$ for MD5, there really is no limit to the password because it’s like producing an MD5 hash for a file—you can get a different MD5 hash for files of any length.

I believe where the real limit—if there is one on a given system—comes in, is not in the Unix crypt() function, but by the password programs such as “passwd” that use it. Those programs themselves may have input limits, which is the only way I can explain the limits shown on that password length blog post.

As someone on SO commented though, you’re probably always safe using a password longer than 8 characters—if you used “mybigbigapple” as a password and the system only paid attention to the first 8 characters, it would just ignore the “apple” part. It’s just a question of whether it wall also accept “mybigbigorange”.

And if it’s easier for you to remember a longer password, then that’s a consideration too.

I guess for me it’s just a question of knowing whether the system I’m on is stronger (supporting passwords > 8 characters) or weaker with passwords, and for some reason I just want to know whether the system is ignoring everything I type past 8.

I did find it a little ironic, though, that if your password gets into the very long category, there’s actually a greater chance (at least with MD5 I believe) of a hash collision, meaning that another password (or one entered by a password cracker) might produce the same hash and thus let someone use that alternate password instead of your real password.

(If you have no idea what I’m talking about re: password hashes, see the Wikipedia article on Passwords, particularly the Background section.)

So where does that leave us? Well, I think it’s relatively easily to check whether crypt() supports passwords longer than 8 characters:

perl -e 'if (crypt(q^12345678^, q^$1$@@$^) eq
  crypt(q^123456789^, q^$1$@@$^)) { print "crypt() appears
  limited to 8 characters\n" } else { print "crypt() appears
  to support more than 8 characters\n"; }'

(typed on the command line, all in one line of course)

Exactly how much longer than 8 characters seems like it would depend on the particular program and not crypt() itself. The password length blog post seems to say that 72 or 79 might be a common limit, and since the average English word length appears to be 5.1 letters, that’s about 14 words.

So as a rule of thumb, we can probably figure that maybe a 10 word maximum for a password (really a “pass phrase”) is about right. That’s what I’ll go with anyway, at least after I use the command above to check that such a longer password/passphrase will actually be worth the trouble on a given system

At least until passwords go away completely of course!

(And while I’m on the topic of security, let me recommend the excellent book Schneier on Security. I picked it up in the bookstore recently with a stack of other books to breeze through, and long after putting the other books down I was still reading it! Very good thinking on a wide range of computer security topics.)