[meteor333]

Sorry didn't think about that. Can you tell me what is generally accepted limit for password managers or in general?

[signal11]

NIST's 2017 guidelines say:

5.1.1.2: "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length." [1]

[1] https://pages.nist.gov/800-63-3/sp800-63b.html or https://doi.org/10.6028/NIST.SP.800-63b

[meteor333]

Thank you. That helps.

[rabboRubble]

I use a common password manager and its max generated password length is 64, so it's in agreement with NIST. That said I am able to manually add characters to increase beyond 64.

[LyndsySimon]

Why have a limit at all? You should be comparing against a hash anyhow, which is fixed length.

I generally use 128-char passwords by default, and only use shorter ones when a service requires it.

[meteor333]

Just the db limit, but yes increasing to 128 shouldn't be an issue.

Edit: Passwords are stored with bcrypt hash. That's right password limit shouldn't matter.

[LyndsySimon]

Yikes.

Yeah, you should be storing the password hashes in the DB, not the passwords. The hashes are going to be the same length regardless of the password's length.

If you wanted to get real fancy, hash the password once on the client side (reducing it to a known length), then again on the server. You should also be using a per-user salt to prevent a rainbow table from being generated if your DB is leaked.

[meteor333]

yup it is stored with bcrypt hash and per-user salt.

[usmannk]

Does this mean that you are storing plaintext passwords in the db? The hashes should be the same length regardless of the password length.

[d-jo]

Last Pass generates up to 100 characters. In addition, the OWASP authentication cheat sheet says a typical max is ~128 characters.

https://www.owasp.org/index.php/Authentication_Cheat_Sheet#P...

[egypturnash]

LastPass currently caps its generated passwords at 100 but it used to be more like 1000.