What should be maximum and minimum length of persons User Name & Password?

  • I am wondering because I am trying to make sure that person have right amount of spaces for their user name.

    User Name and Password are security measures and should not be easy to guess. I have fixed amount of characters to Passwords no shorter than 6 characters because most sites use 6-8 characters when create an account. Because of limitation of my progams database file I cannot have passwords longer than 20 characters. What about User Name field? Too short User Name would be too easy to guess, too long, might cause program errors (since maximum length of single line TextBox in .Net/C# is about 32767 characters).

    What should be the maximum and minimum length of User Name and Password fields?

    You probably should be storing a password **hash**. That hash can be precisely 20 characters regardless of the length of the actual password.

    user name is not a security measure, and this site is not the right place to ask about passwords imho, try http://security.stackexchange.com/

    Please allow 3 characters usernames, my username is usually M28, but sometimes some forms don't allow it :(

    IMHO security can have strong impact in design. As ux designers we should gather security requiriments that could impact design. What do you think?

    http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ suggests that you are wrong if you assume that all users have names :P

    Having come across this page while searching for best practices on user name lengths, here's a specific discussion on the Information Security Stack Exchange site on why you would want a fixed, minimum length for user names: https://security.stackexchange.com/questions/46875/why-is-there-a-minimum-username-length

  • Between 6 and 20 characters for a password is acceptable, although I would normally not restrict the password length quite so tightly at the max end (see my final comment in bold, below).

    A username however should be able to be short. If your application requires the username to be unguessable, then you might as well ask for two passwords rather than one.

    If I'm an early adopter of a product/website/startup I like to be able to choose a short username - perhaps my first name, after all it's usually a name by which I refer to myself in the context of your application, and an id by which the application will refer to me.

    Therefore I would think twice before restricting the minimum length of a username at all - other than non-blank of course. In any case you need to validate a username against those that exist already (I suggest in-line validation here).

    With respect to the maximum length, anyone who enters a really long username is digging a hole for themselves anyway as they may well end up having to type that username frequently in the future.

    You should also think beyond the textbox max-length restriction as to where and how that username mught be stored, displayed and used in the future. Could it ever form part of an email address, a filename, a sub-level domain prefix, etc, etc. (I'm sure you'll have more pertinent questions for your own application context).

    I'm torn between the 'why restrict it at all' option and the 'keep it short enough never to be a problem'. I believe 32767 would be a mistake that could come back to bite you at some future point and I would advise an option where you can understand and deal with a known quantity in the future with the minimum of fuss.

    For this reason, while taking the above consideration about future uses into account I would make the username length as long as possible, but no shorter than necessary.

    For systems with a 'non displayed' username I often use my email address (so its consistent with systems which DO use my email address as the username). So you want a username length which will handle a corporate email length - and some of these can be pretty long.

    @PhillipW - a great example for keeping such restrictions as long as possible but no shorter than necessary - it is not for the application to second guess how users will choose their username!

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM