Password rules

[MaxCuriosus]

What are the rules for composing the login password, like length, type of characters, symbols, etc?

[Thaddy]

mix lower and uppercase and numerics, add one or more printable characters, like $#@!*&.
Length matters. The longer the better. (in that case use poems, sayings or quotes to easily remember) At least 8 chars. Do not accept sequential order, like 12345 or abcdefg or !@#$% for that matter. Etc.

[lucamar]

If you mean for this forum, this is what the "Change password" tip says:

For best security, you should use eight or more characters with a combination of letters, numbers, and symbols

though it will happily let you use ultra-simple passwords like, say: aaaaaaaa

[MaxCuriosus]

But is there a maximum length? Are there some symbols not allowed? Are accented letters allowed? Thank you.

[eljo]

But is there a maximum length? Are there some symbols not allowed? Are accented letters allowed? Thank you.

That's implementation depended, but in my book there should be no limits in the maximum length if they must exists then something like 64K of characters should be sufficient. No limitations in the symbols either. The idea of rules is to expand the richness of the symbols used not to limit them.

There are some systems though that might not be able to support the full unicode symbol table so you have to constraint your self on those limits. Other than old systems and incapable databases/ storage systems there is no reason to limit the end users creativity when it comes to password selecting.

[lucamar]

But is there a maximum length?

Probably, though it should be large enough for most uses; mine has around 20 characters (plus/minus X%). Just don't try to use the text of War and Peace for your password: it might work

Are there some symbols not allowed?

There shouldn't be, though you might have problems with some of them due to encoding differences.

Are accented letters allowed?

Yes, definitively; I used them myself. Though, again, you might run into encoding problems, say if your (new/other) browser decides to start sending combining diacritics instead of single composites; it might seem unlikely, yet it is possible.

[Martin_fr]

But is there a maximum length?

I don't actually know how smf implements this. You can download a copy of it, and find out yourself. (I found some references that it uses SHA1, but have not verified that)

But in general:
With any decent software your password is not stored on the server. Instead a hash function is applied and the resulting hash is stored.
When you login, the same function is applied, and the result must match.

The hash usually has a fixed length.
E.g. a relatively good SHA256 is 256 bit long => that is there are 2 to the power of 256 possible values.
SHA1 has 160 bits.

Hashes are not collision free. If you test an infinity of passwords, you will find several passwords leading to the same value.

Which means that a password does not get more secure, once it passes a certain length. Because there will be very likely a shorter password, which has the same hash. (And hence will be accepted for login)

A-Z, a-z, 0-9, and maybe 10 special chars => 72 different values. For simplicity make that 64 which is 6 bit. 160 divided by 6 = 27.
So at about 30 truly random chars you reached the cut off. (Differs, if not truly random)
Some hashes may only occur with longer sequences. But you don't know which.

[MaxCuriosus]

Thank you all for your much appreciated explanations and insights.