This may sound like a frivolous question, but those in the security field will get it. Should I let the user enter any number of characters as long as it's greater than 0 chars. My logic is:
- the password is going to be hashed and salted anyway, and
- it's more fun for someone doing a rainbow table to NOT have any length/other guidelines, but
- my concern is the brute force dictionary attacks.
Am I sort of on the right track with this?
Since I'm asking the lower limit question, I might as well ask about the upper limit? Again, it's going to be hashed and salted, so db size is not an issue. Then the only issue I can think of in this case is buffers more than anything else, right?
Update For those coming late to the question
So the general consensus seems to be confirming what I initially thought, that the risk of brute force increases. However, the RT cracker's job is not going to be made that much difficult by the fact that they have no clues as to the size. It may in fact be made easier since they start with lower character tables anyway. Correct? (Not to mention the non-technical concerns that have now come up with looking over someone's shoulder, etc. which aren't as big a concern for longer password.)
So the conclusion is: even if you hash/salt the password, short passwords are still a risk
For long passwords however, I'm not sure I have a conclusive answer? Should I worry about buffer overflows, it's still a regular input field after all.
It will leave the attacker with just 1296 options to guess the particular users password.