Friday, December 12, 2014

forms - What should be maximum and minimum length of persons User Name & Password?




I am wondering because I am trying to make sure that person have right amount of spaces for their user name.


User Name and Password are security measures and should not be easy to guess. I have fixed amount of characters to Passwords no shorter than 6 characters because most sites use 6-8 characters when create an account. Because of limitation of my progams database file I cannot have passwords longer than 20 characters. What about User Name field? Too short User Name would be too easy to guess, too long, might cause program errors (since maximum length of single line TextBox in .Net/C# is about 32767 characters).


What should be the maximum and minimum length of User Name and Password fields?



Answer



Between 6 and 20 characters for a password is acceptable, although I would normally not restrict the password length quite so tightly at the max end (see my final comment in bold, below).


A username however should be able to be short. If your application requires the username to be unguessable, then you might as well ask for two passwords rather than one.


If I'm an early adopter of a product/website/startup I like to be able to choose a short username - perhaps my first name, after all it's usually a name by which I refer to myself in the context of your application, and an id by which the application will refer to me.


Therefore I would think twice before restricting the minimum length of a username at all - other than non-blank of course. In any case you need to validate a username against those that exist already (I suggest in-line validation here).


With respect to the maximum length, anyone who enters a really long username is digging a hole for themselves anyway as they may well end up having to type that username frequently in the future.


You should also think beyond the textbox max-length restriction as to where and how that username mught be stored, displayed and used in the future. Could it ever form part of an email address, a filename, a sub-level domain prefix, etc, etc. (I'm sure you'll have more pertinent questions for your own application context).



I'm torn between the 'why restrict it at all' option and the 'keep it short enough never to be a problem'. I believe 32767 would be a mistake that could come back to bite you at some future point and I would advise an option where you can understand and deal with a known quantity in the future with the minimum of fuss.


For this reason, while taking the above consideration about future uses into account I would make the username length as long as possible, but no shorter than necessary.


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...