The password creation process on different websites can be a bit like visiting foreign countries with unfamiliar social customs. This one requires eight characters; that one lets you have up to 64. This one allows letters and numbers only; that one allows hyphens. This one allows underscores; that one allows @#$&%, but not ^*()[]!—and heaven forbid you try to put a period in there. Sometimes passwords must have a number and at least one capital letter, but no, don’t start the password with the number—what do you think this is, Lord of the Flies?

You can’t get very far on any site today without making a password-protected account for it. Using the same password for everything is bad practice, so new emphasis has emerged on passwords that are easy to remember. Sentences or phrases of even very simple words have surfaced as a practical approach to this problem. As Thomas Baekdal wrote back in 2007, a password that’s just a series of words can be “both highly secure and user-friendly.” But this scheme, as well as other password design tropes like using symbols for complexity, does not pass muster at many sites that specify an upper limit for password length.

Most sites seem to have their own particular password bugaboos, but it’s rarely, if ever, clear why we can’t create passwords as long or short or as varied or simple as we want. (Well, the argument against short and simple is concrete, but the others are not immediately clear). Regardless of the password generation scheme, there can be a problem with it: a multi-word passphrase is too long and has no symbols; a gibberish password is too short, and what’s the % doing in there?

Every company seems to come down differently on the balance between what makes a password secure, what a customer can remember, and what their systems can manage. We wanted to find out why, so we asked several of them.

Why we limit

The brokerage and banking company Charles Schwab has strict length limits—passwords can be no longer than eight characters, no shorter than six. The fact that sensitive financial information is protected by no more than eight letters, numbers, or symbols doesn’t sit well with some customers.

Sarah Bulgatz, director of corporate PR for Charles Schwab, noted that the company is “currently evaluating a project to offer lengthened passwords,” and she said that suspicious account access is met with extra security questions. But security questions are easily bypassed. Bulgatz did not provide a reason as to why passwords are limited to only eight characters.

Two-factor authentication is the undisputed best approach to keep interlopers from jacking your account, cumbersome though it would be if universally implemented. Charles Schwab does offer a free “security token” to interested customers that generates a six digit number for them to enter alongside a password. However, two-factor authentication is as susceptible to phishing as passwords are.

Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.

“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars. According to a comment written on the Windows blog from Eric Doerr, currently a group program manager at Microsoft, a shift to longer allowed password lengths is not simple. "For historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market," Doerr wrote.

Not all users buy this excuse. A thread on Stackoverflow took the opposite position, though for passwords with a much smaller limit (eight characters, for one banking site). One user noted that “there is no purpose for a maximum length,” and another called the practice “worthless." A third user thought the length limit suggested that the company may then be storing the password themselves rather than hashing them, which is dangerous and leads to inevitable bad news in the event of a hack, as Gawker found out in 2010.

Evernote is fairly flexible with passwords, allowing between six and 64 characters and all symbols except, strangely, spaces. The permitted characters and length for passwords are defined as a regular expression in Evernote’s API, but spaces are left out, Evernote says, because leading and trailing spaces presents a problem. “Software needs to precisely determine how to treat leading and trailing spaces,” Dave Engberg, Evernote’s CTO, told Ars. “Some UI frameworks and third-party applications would unreliably trim spaces, others would not.”

Adding support for spaces only in the middle of the password would make the regular expression defining them three times longer, Engberg said. And for that extra effort, the entropy (uncertainty of what character holds any given position in the password) would increase by only 1.5 percent. For that reason, Engberg and Evernote decided to forego spaces. (Evernote also recently stated it will add optional two-factor authentication later this year.)

Symbols are another point of contention. AT&T restricts passwords to between eight and 24 characters, and it only allows the symbols "_" and "-"; (Capital One has the same rules, but it limits password length to eight to 15 characters). When asked why AT&T limits its passwords in this way, an AT&T spokesperson with the Chief Security Organization told Ars that the company decided not to allow symbols because customers did not like typing them when using mobile phones. AT&T's cybersecurity team stated that its policy protects against “dictionary attacks and related threats while giving users a sufficiently broad range of characters to choose from to craft unique and strong passwords.” In addition to the restrictions listed about, AT&T also bans passwords constructed of the saltier bits of the American lexicon.

If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice. But as Microsoft noted, many successful password attacks have little to do with the content of the password itself (though the situation is getting worse) and more to do with phishing or other manipulations of the user, rather than his or her password. Except in extreme cases (ahem, looking at you, Chuck Schwab), specific length and character restrictions are unlikely to have significant effects on account security.

Further reading: