Zum Hauptinhalt springen
Deutsch
|
English

PASSWORDMAXLENGTH - Detailed description

FM-Portal

IC2883
FM-Portal

Overview

Parameters:PASSWORDMAXLENGTH
Category: Login
Default value: PasswordMinLength * 3 (dynamic, default 24 when PASSWORDMINLENGTH=8)
Product: eTASK.Login

What does this parameter do?

This parameter sets the maximum number of characters a password may have in the FM Portal. It prevents users from creating extremely long passwords that could lead to performance or storage issues. The upper limit is automatically calculated as three times the minimum length.

What is this parameter used for?

  • Password validation during user registration

  • Password changes by existing users

  • Password reset processes by administrators

  • Protection against DoS attacks caused by excessively long passwords

  • Consistent user experience through defined limits

Technical Details (for Administrators)

Format: Integer or dynamic formula
Default value: PasswordMinLength * 3 (PASSWORDMINLENGTH=8 results in 24)
Dynamic calculation: The value automatically adjusts to PASSWORDMINLENGTH

Examples of valid configurations:

- 24 - Default for PASSWORDMINLENGTH=8 (24 = 8 × 3)
- 36 - For PASSWORDMINLENGTH=12 (36 = 12 × 3)
- 48 - When PASSWORDMINLENGTH=16 (48 = 16 × 3)
- 128 - Absolute maximum (set manually if necessary)

Recommended range: 20–64 characters

Important: The maximum length must ALWAYS be greater than PASSWORDMINLENGTH. The system enforces the formula "PASSWORDMAXLENGTH ≥ PASSWORDMINLENGTH".

Interaction with other parameters:
- PASSWORDMINLENGTH: Minimum length (must be less than the maximum)
- PASSWORDPOLICY: Defines complexity rules (special characters, numbers, etc.)
- PASSWORDHISTORYLENGTH: Prevents reuse of old passwords

Applies ONLY to: User accounts managed locally in the FM Portal. For Active Directory authentication, the AD policies apply.

When should you change this value?

Increase the value (e.g., to 64 or 128) if:

  • Your organization allows passphrases instead of passwords (e.g., "ThisIsMySecurePasswordForTheFMPortal2025!")

  • Compliance requirements mandate longer passwords

  • You want to promote password managers that automatically generate long, complex passwords

  • High-security environments aim for maximum security through length

Keep the value (default: dynamically calculated) if:

  • The automatic triple rule (PASSWORDMINLENGTH × 3) meets your requirements

  • No specific security policies require an adjustment

  • A balance between security and user-friendliness is desired

Decrease the value (NOT recommended):

Reducing the value below the triple rule is not advisable in most cases, as it unnecessarily restricts user flexibility.

Important Notes

  1. Automatic adjustment: The default value automatically adjusts to changes in PASSWORDMINLENGTH. If you increase PASSWORDMINLENGTH from 8 to 12, PASSWORDMAXLENGTH automatically increases from 24 to 36.

  2. Existing Passwords: If you REDUCE the maximum length (e.g., from 64 to 32), users with existing longer passwords can still log in. The change takes effect only upon the next password change.

  3. Performance considerations: Extremely long passwords (>128 characters) can cause performance issues during hashing (bcrypt/PBKDF2). The triple rule offers a good compromise.

  4. User information: If you make this change manually, you should inform users about the new maximum length to avoid frustration.

  5. Maintain consistency: Ensure that PASSWORDMAXLENGTH remains ≥ PASSWORDMINLENGTH; otherwise, valid passwords cannot be created.

  6. Password manager compatibility: Most password managers generate passwords between 16 and 32 characters. A maximum of 24–48 characters is ideal here.

Security

Does changing this parameter affect security?

Yes, but primarily indirectly.

Positive security aspects:

  • Allow long passwords: A higher value enables users to use very secure passphrases (e.g., "I-love-facility-management-since-2025!")

  • Password manager support: Modern password managers often generate passwords 20–32 characters long—a maximum value that is too low would block them

  • Brute-force protection: The longer a password can be, the greater the potential protection against attacks

Potential risks:

  • A maximum length that is too low (e.g., <20 characters) may force users to choose weaker passwords

  • Extremely high values (>256 characters) could theoretically enable DoS attacks due to excessive hashing effort (very unlikely with normal values)

Interaction with security parameters:

  • Optimal in combination with PASSWORDPOLICY=All (upper/lowercase letters, numbers, special characters)

  • Supports PASSWORDHISTORYLENGTH—long, complex passwords are harder to reuse

  • Complements LOCKOUTTHRESHOLD and LOCKOUTDURATIONMINUTES for comprehensive protection

Conclusion: The maximum length should be set generously (at least 24–32 characters) to avoid restricting secure passwords. The dynamic default value (PASSWORDMINLENGTH × 3) is optimal for most scenarios.

Practical example

Initial situation:
Your organization is rolling out password managers company-wide. Users report that automatically generated 32-character passwords are being rejected because the current maximum length is 24 (PASSWORDMINLENGTH=8, PASSWORDMAXLENGTH=24).

Configuration:
You change PASSWORDMAXLENGTH from PasswordMinLength * 3 to a fixed value of 64.

After the change:

  1. User "Anna Müller" changes her password in the FM portal:
    - Her password manager suggests: K7#mX9$pL2@nB5!qW8&tY3^rE6*vC1
    - Length: 32 characters
    - The portal accepts the password
    - Anna can log in using the secure password managed by the password manager

  2. User "Max Schmidt" creates a new account:
    - He chooses a passphrase: Ich-liebe-Facility-Management-2025!
    - Length: 37 characters
    - The portal accepts the passphrase
    - Max can remember his passphrase more easily than a cryptic 12-character password

  3. Administrator checks the system:
    - Existing 24-character passwords remain valid
    - New passwords can be up to 64 characters
    long - PASSWORDMINLENGTH (8) is still enforced
    - No performance issues due to the change

Result:
Security increases because users can now use very strong passwords generated by a password manager or easy-to-remember passphrases without being restricted by an overly restrictive maximum length.

Recommended setting

Default installations: Leave the dynamic value PasswordMinLength * 3. With PASSWORDMINLENGTH=8, this results in a maximum length of 24 characters—sufficient for most scenarios.

High-security environments or password manager use: Set a fixed value of 48 or 64 characters. This enables very strong, machine-generated passwords or passphrases.

Never: Use values under 20 characters—this unnecessarily compromises security.

War dieser Artikel hilfreich?