Password Length Matters

When the web application requires registration in order to reach its functions, it guides the user through on the registration flow. This is where the users are asked to provide their personal data and users do give out their personal information. Even a single mail address is considered to be a personal data.

Here comes security concerns into the picture:

  • Does a password have an expiration date?
  • Is the password unique?
  • Does the application have account locking feature in case many bad attempts are happening?
  • Does the password contain special characters?
  • Does the password have restrictions for its length?
  • etc

Application can help users to make a better decision on selecting password for their account during the registration process, to raise users’ awareness in the importance of using passwords that can really protect it. We can see a minimum requirement for the password length, and password policies that requires as to include special characters as well. We understand that password has value.

Hackers are trying to acquire (and do acquire) passwords. Even the strongest password cannot withstand attacks.

I don’t see why web applications that requires registration are not applying any password policy during the registration process. Some web apps allow themselves to set the minimum required password field length to 1 character! Having a password field like this is like saying “Hey, be glad, we have a password field at least, the rest is on you.”

One real life example is Wikipedia. Wikipedia allows users to create an account with one char long password. There is a validation on space. If you tried to create a user with a space in the password field, you got the following error message:


This error message is nice 🙂

Infosec Institute has an article titled “Password Security: Complexity vs. Length”

In this article they re-share the formula to calculate how difficult it is to hack a password:

The formula is log(C) / log(2) * L where C is the size of the character set and L the length of the password; from a mathematical standpoint, it is clear how L, the length, has a predominant role in the calculation of the entropy bits. C normally includes symbols, lower and upper case characters and number for a total of 96 possible characters or less, if some are excluded: “When looking at passwords in this light, it really starts to become clear how much more important the password length is, as opposed to the defined complexity requirements. To further this point, if you’re using passwords with a character set of 10 (only numbers), in order to achieve the same amount of entropy as a character set of 94 (all possible ASCII characters), you only have the double the password’s length. To say it another way, a password that is 16 characters long made up of only numbers provides the same level of difficultly-to-crack as an 8-character password made up of the possible 94 possible characters.”

I really hope that Wikipedia users who provide their email address – which is an optional field for registration, do consider password safety.

Minimum length of the password is important. Testers, let’s not forget to check the requirements for field validation rules with business people when it comes to implementing a registration flow.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s