Password Length and Complexity for Social Media Sites

Filed under Social Networks
Tagged as , , , , , , ,

July 1st was “Twittersec” day as coined by @hevnsnt over at to designate July 1st as change your Twitter password day. Why? Mostly because July is the “month of Twitter bugs” created by a security researcher in which he will announce a bug in a “3rd party Twitter application” everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be “month of 3rd party” Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

None. I tried a 500 character password with everything but white spaces and it worked.

None. I tried a 1000 character password with everything but white spaces and it worked.

10 characters! Wow…really bad. Now I know another reason MySpace sucks.

16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!


  1. soleblaze says:

    myspace does store the password in clear text. If you say you lost your password and get them to send it to you, it’s sent to your email account in cleartext.

  2. Thanks a lot, Tom, for saving my time. LinkedIn did exactly that to my password – truncated it to 16 characters. Without your post I would still be wasting time trying to find the max password size or contacting LinkedIn support. Now that my problem is resolved, I sent a suggestion for improvement to LinkedIn – they should clearly indicate the max password length on their page and reject longer passwords.

  3. Hassan says:

    Just because you could use a password with the length of 500 or 1,000 does not mean that there is no maximum length for it! This just means that you don’t know what it is.

  4. Dwayne says:

    If you can enter a 1000 character password and you suspect it is getting truncated, a binary search can fairly rapidly allow you to find the actual cap if it is below that.

    But in reality, if you are randomly generating a password it is pointless to generate one with more than 512 bits of entropy since it is going to almost certainly get hashed as SHA512 on the server.

    Most sites end up capping at no more than a few thousand either accidentally by how they transmit them over the wire or intentionally in order to prevent wasting bandwidth on 16KB passwords that will end up with no more entropy than contained in the first thousand bytes, because lets be serious, no one uses multi hundred character passwords that aren’t randomly generated.

Post a Comment

Your email is never published nor shared. Required fields are marked *