What is the *real* maximum password length?

by Bharat Suneja on January 16, 2007

I’ve for long been an advocate of using long passwords, using entire phrases/sentences instead of a single more complex but short password.

Some Windows Server 2003 documentation states the maximum password length is 28 characters (e.g. Enforcing Strong Password Usage Throughout Your Organization says “Although Windows 2000, Windows XP, and Windows Server 2003 support passwords up to 28 characters, … “). The Change Password dialog box that users normally use (the one that shows up when you choose Change Password after hitting CTRL-ALT-DEL) lets you enter only 26 characters. Using AD Users & Computers, you can reset it to 32 characters.

Adding to the confusion, the help text for the Reset Password dialog box states that it provides space to type a password up to 127 characters (which it doesn’t, as we’ve seen in the above screenshot – it’s limited to 32 characters).

What’s the real maximum?

The Answer: The ResetPassword dialog box does provide a space for up to 127 characters. However, the way the edit box controls work (in the above Reset Password dialog box), when you continue to enter characters past the 32-character width of the control, it does not scroll characters to the left, but continues to accept the longer password. This can be observed when you delete the long password – it deletes the 32 visible characters (though it doesn’t visibly display the scrolling effect, it has indeed scrolled), then scrolls to the left to display the remaining characters in the 32-character window. Here’s a Flash demo that shows that. :)

In the above demo, when the password being entered reaches the visible limit of the edit box, you feel it’s not taking the rest of the password. Wait a few seconds till the password is being deleted.

The Change Password dialog box behaves similarly.

{ 3 comments… read them below or add one }

1 Anonymous February 5, 2009 at 1:05 am

Hello from Germany!
This is incredible!
As a Security Consultant working in Awareness, i just couldnt tell, how disappointing that is. I think in Future, we will have good Passphrases instead of Passwords!
But how will i tell my Users, if Windows behave like that? :-S
In Future, we’ll have an Poem attack instead of a dictionary Attack ;-)
Greets from Berlin, Germany

Reply

2 Anonymous June 8, 2009 at 11:30 pm

can i know the maximum password length can be used in server 2008

Reply

3 Allan November 10, 2010 at 4:12 am

My XP allows more than 26 characters in the change password box. Qute a lot more. XP SP3

Reply

Leave a Comment

Previous post:

Next post: