Why Some Websites Restrict Password Length

By Wesley Fenlon

Want to make a really long, secure password? Too bad! Some websites restrict your passwords to as few as 8 characters.

Web security experts have said many times that a longer password is better security--so long as you're using different passwords on different sites. Imayankeedoodledandy would be harder to crack than yank33, even without numbers or symbols. But sometimes we can't make longer passwords because, with little explanation, different websites have different restrictions in place that govern what can and can't go into a password. Ars Technica asked a few such companies to explain their password policies, and the answers they got aren't especially appeasing.

Some sites support passwords up to 64 characters with few descriptions. Evernote, for example, allows 64 character passwords and all symbols, but not spaces. And their explanation for this held up pretty well. Ars writes:

" 'Software needs to precisely determine how to treat leading and trailing spaces,' Dave Engberg, Evernote’s CTO, told Ars. 'Some UI frameworks and third-party applications would unreliably trim spaces, others would not.'

Adding support for spaces only in the middle of the password would make the regular expression defining them three times longer, Engberg said. And for that extra effort, the entropy (uncertainty of what character holds any given position in the password) would increase by only 1.5 percent.

One explanation is that phishing, malware, and password reuse are far bigger problems than password length.

Restrictions from other companies make less sense. Microsoft allows numbers, letters and symbols, but passwords have to be between 8 and 16 characters. AT&T allows between 8 and 24 characters, but only the symbols _ and - because "customers did not like typing them when using mobile phones." And Ars discovered that banking company Charles Schwab, which probably deals with the most vital information of the sites listed here, requires that passwords be between 6 and 8 characters. No explanation was given.

Microsoft's explanation was that phishing, malware, and password reuse are far bigger problems than password length. And that's probably true, but responsible passworders are only hampered by upper limit restrictions, especially when those limits are as small as 8 characters. Read the rest of the Ars Technica story for some reasons why short password restrictions can imply greater security issues, like companies storing passwords themselves, potentially leaving them vulnerable to hacking.