My company’s global security are asking for the Max Password length for
user accounts in Icinga Web (we use the built in authentication system).
Why are they interested in the maximum length?
I can understand them wanting to know what the minimum length is, but
really, why do they care what the maximum is?
Does anyone know what the value is? I’ve been trying to manually find this
out by generating massive passwords but I am yet to hit any kind of limit?
There isn’t one. IcingaWeb2 uses PHP5’s password_hash function, and hash
functions are designed to take arbitrary (ie: unlimited) input and produce
fixed length output.
So, there might be some limit on the length of a string which you can manage
to get into the password field, but it’s likely to be ridiculously long, such
as 65535 characters perhaps.
The answer to your security people is “there is no maximum length, but why
would it matter anyway?”