When was the last time you saw an application accepting passwords length lesser than 8 characters? 🤔

Devanand Premkumar
9 replies
Last week when I was trying to signup for an application presented here in PH, it asked me to create a password with just 6 characters. I was wondering why do we allow such a low entry barrier for the primary authentication - password. Six characters can be taken down pretty easily, courtesy of today's computing speed and efficiency. What do you think should be a minimum character length for a password to be considered safe and secure?

Replies

Founder at HeyCharlie 🤖
We request 10 or more characters... and encourage 12+ We've taken out any @#$%^& requirements because it gets too difficult otherwise... afaik it's the length that really improves the entropy/security.
Share
Security Researcher
@jimbomorrison For sure the current best practice is to have 12+ characters. Am glad to see that coming out as a requirement. Please keep up the good work.
Share
Founder & CEO @ BotSpace
Last week when I tried to sign up for H&M's mobile app. I think there should be no limit, not sure what they are trying to achieve by having this limit. Save space?
Security Researcher
@bilal_chaglani Seriously! In 2021, applications are enforcing 8 character length? That's not the recommended best practice anymore. Saving space as a requirement was valid when the storage costs were huge. Now you can get gigabytes of storage at the cost of pennies. Not a valid reason to limit on storage by length of characters. Adding to that, if they are storing the password in plain text - considering length requirements, then they have a bigger problem at hand for sure.
Considering today's computing speed and efficiency passwords are not at all safe and can lead to data breaches in near future. The world is now switching to password-less authentication which is more convenient and safe. Password-less authentication make sure that you don't have to remember such complex passwords containing @,#.! etc..
Share
Security Researcher
@tanay_gauba Your right about the issues of password. But the migration is a long way to get completed. Think about the numerous applications which needs to be switched from the traditional password based authentication to password-less authentication. I think it will take few more years considering the pace of this switching/migration that is currently happening.
@devaonbreaches I am working with a startup where we are focusing on the password less and OTP less authentication. I know it will take some time but the switch is important when you know everything around you is upgrading.
Security Researcher
@tanay_gauba Totally true. Upgrading is time consuming but we are all positive it will change for the good. I was also looking earlier at Prabhat's response on one of my other post and it make sense :)