Update: Authentication Cheat Sheet

[sohsatoh]

What is missing or needs to be updated?

In this cheat sheet, The following statements are present.

Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms, as discussed in the Password Storage Cheat Sheet. It is important to set a maximum password length to prevent long password Denial of Service attacks.

Implement a reasonable maximum password length, such as 64 characters, as discussed in the Password Storage Cheat Sheet.

This statements has the following problems.

1. The Password Storage Cheat Sheet seems like no longer has any mention of length restrictions. (except for bcrypt)
2. Password requirements are not directly related to Denial-of-Service (DoS) attacks. Also, this attack is just a implementation issue.

DoS caused by character length is not a password requirement issue, but an implementation issue. Also, there seems to be no concrete basis for a 64-character length in the modern era.

How should this be resolved?

Remove the statement about DoS, or remove the statement about the specific number of characters that cause a DoS.

(Or it is also possible to lower the tone of the places where it says "important" and describe it at a level of "consider" instead)

[jmanico]

I like consider and a max of 128 and support at less up to 64

[sohsatoh]

NIST has stated the following in 800-63B.

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

Allow at least 64 characters in length to support the use of passphrases.

Therefore, I agree that the maximum character length should be "at least 64 characters".

However, I believe that how many characters is appropriate as the upper limit is a controversial issue. This should be based on some criteria, and I think there is still room for debate.

[szh]

Why have an upper limit at all?

[kwwall]

It's not an upper limit. It's a least upper bound.

-kevin

On Wed, Apr 10, 2024, 10:57 AM Shlomo Zalman Heigh @.***> wrote:

Why have an upper limit at all?

— Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/1376#issuecomment-2047784453, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG7FHLN6HYMAEE5PSGDY4VHMFAVCNFSM6AAAAABGAJTSL2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBXG44DINBVGM . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[szh]

So maybe it should be worded something like, "A maximum length is not recommended. However, if one is needed, it should not be lower than __ chars".

[sohsatoh]

Sounds good. I support a minimum of 64 characters as specified by NIST.

Like,

The maximum length of the password should be specified as 64 characters or more, as per the NIST guidelines.

(I am not a native English speaker, so there may be grammatical errors though.)

I will create a pull request after the discussion is concluded.

Edit: I totally had forgotten about ASVS. It stated as Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied. However, I don't think 128 is based on any criteria.

[jmanico]

I suggested this at ASVS 5.0:

Verify that passwords of at least 64 characters are permitted and that passwords above a certain max length (such as 128 or more characters) are denied.