Back to Home

How long is enough? Minimum passwords on the most popular sites

passwords · minimum length · even numbers

How long is enough? Minimum passwords on the most popular sites

Original author: Troy Hunt
  • Transfer
Recently, I often share my thoughts on passwords. Here we have the absolute cornerstone of security - a paradigm that everyone with an online account understands - and at the same time, we see fundamentally different approaches to this issue from different services. Some have strict password complexity rules. Others have a small maximum length. Some do not allow copying from the clipboard. Others make you change your password regularly. Such absurdity is everywhere.

Last year I wrote a guide to authentication in the modern eraand talked about many of the above requirements. In particular, I drew attention to how modern ideas contradict many traditional ideas about the correct work with passwords. That article abundantly cites guides from the NCSC and the American NIST  , the British Cybersecurity Center , and debunking many of the old myths. Get rid of complexity rules, allow long passwords, do not prohibit copying from the clipboard and refuse the obligatory change of passwords. However, there is nothing regarding the minimum length , and this made me wonder which number would be correct?

When I taught Hack Yourself First, then one of the first to ask the question: "What is the correct value for the minimum password length?" I thought about this again this weekend, while working on the second version of the Pwned Passwords website , because I thought that you could use a minimum length limit to reduce the size of the data set. Instead of projecting my opinion on this issue, I decided to go and check how things are going on on the largest sites. Here are the top 15 with a summary and some additional comments:

Google




Facebook


The description is a bit misleading. It says that the password should be longer than 6 characters. In fact, it should be 6 characters or longer.



Wikipedia


Surprisingly, Wikipedia has a minimal criterion ... you just have to specify a character. It's enough.



But damn it, this is significant progress over what it was before:


“At least Wikipedia has abandoned blank passwords for security reasons.”

Reddit




Yahoo


Without stating this explicitly, Yahoo requires a password of at least 8 characters to meet the minimum length criteria:



Amazon




Twitter




Microsoft




Instagram




Netflix


Netflix allows ultra-short passwords from just 4 characters. Perhaps one of the reasons is to make it easier to enter the password from the TV remote.



LinkedIn




Twitch




Pornhub




Ebay




imgur




Summary


Let's lay out all the results in one table:

Google8
Facebook6
Wikipedia1
Reddit6
Yahoo8
Amazon6
Twitter6
Microsoft8
Instagram6
Netflix4
LinkedIn6
Twitch8
Pornhub6
Ebay6
imgur6

Surprised? Many people will choose a 6-character password because it seems short. 9 out of 15 sites allow passwords of 6 characters, 4 sites require a minimum of 8 characters, and there is Netflix with a minimum limit of 4 characters and Wikipedia, well, let's not mention their restriction ... But my thoughts on this:

In each case: minimum password length is an even number! In your opinion, how scientifically grounded is the process of determining the ideal minimum length if all the big players just landed on 4, 6 or 8?

No one has 5 or 7, or 9, only beautiful, nice, symmetrical even numbers. So here is the first insightful conclusion from observation - no science is definitely involved here.

But there is something else, and I repeated it many times in the article with the password guide in the modern era: authentication today is much, much more than just a comparison of two lines. So it was at first - you had a username and password, and if it coincided with what was stored in the system, then you were allowed into the system. But now we are far from such an approach.

For example, we have two-factor authentication. Yes, frighteningly few people use it, but now it’s an affordable technology for security control in the mass market, and we have access to all types of services that did not exist even five years ago. We are also starting to better understand user behavior when choosing passwords; that’s the whole point of the Pwned Passwords project - recognizing that people make crappy security decisions! Let's identify them at an early stage and help people make the right choice (that is, “you really shouldn't use such a password ...”).

Then there are controls based on heuristics of other users, for example, the requirement to verify through a registered email address if the user tries to log in from an unusual place (you could see how Facebook used to do this). The same thing when using a new browser - this can lead to a decrease in trust, which requires additional verification. In fact, the whole premise of “trust” becomes especially important when we move away from this binary state: to allow or deny access. Try going to different sites through Tor - and you will have to prove that you are human, because, as it turned out, bad guys especially like to use anonymity tools.

The point of all this is that you can no longer just look at the minimum password length and say: “Ay, six characters - or even four - is too small”, because authentication schemes can be much more advanced than just comparing two lines . This does not mean that it is always correct to use these beautiful even numbers - there are many sites that do not use any advanced tools, but only string comparisons - but I hope this provides food for thought.

Oh, and if you really find a site with an odd number as the minimum password length, then leave a comment below, because now it has become interesting to me.

Read Next