Question on Password Length (CSP Unit 4 Lesson 8)

One of the questions on the “U4L08 Worksheet - Keys and Passwords” is " Opinion: Is an 8-character minimum a good password length for websites to require?"

I can understand how a long password would be useful when encrypting a file or setting a wireless network key, but I don’t understand how it would matter with a website.

It seems like web site logins would be set up not to allow brute force attacks, so I wouldn’t think the length of the password would matter much.

Thanks in advance for the help in understanding this.


Hi @wbarnum,

When you say web site logins are set up not to allow brute force attacks, I suppose you mean how they for example allow 3 attempts, then ban attempts for x amount of time (like many phone logins)?

I’m by no means a security expert, nor have I formally studied this in any way… that being said :grin:

As far as I know, you’re correct in that the method I mentioned prevents most sites from being attacked via brute force.

I think there’s still a concern if an attacker somehow can make their way around the “front door” - the website login page - and somehow access the password database directly, as is often the case when you hear of a company getting hacked.

To my knowledge, these password databases are hashed - basically encrypted - not stored in plaintext for security purposes (otherwise company employees can also see users’ passwords). However, if an attacker has direct access to that database, they can perform a direct brute force attack on that. Basically, if they know the hash/encryption method, they can guess a password and see if the hashed/encrypted form matches what’s stored in the database.

To learn more about how passwords are stored in a database, including how hashing works, here’s a 10 minute video I found helpful:

But definitely, if anyone else has “actual” knowledge to help answer this question, I’d love to hear. :slight_smile: