The current maximum length of passwords generated by 1Password 6 for Windows is 64 characters. This limit was initially set due to UI and storage constraints, but it is now considered overkill.
I was wondering why the limitation is at 64 characters.
I did some investigation and stumbled upon GRC's Haystack Calculator, which calculated the time it would take to crack a password using a massive cracking array. The calculation showed that even in a massive cracking array scenario, it would take up to 12.06 million trillion trillion trillion trillion trillion trillion trillion trillion centuries to crack the password.
Well, that's a whole lot of time for an attacker just to read my emails. This is why 64-character passwords are plenty, and every other part of the security system becomes more important, after a certain password length.
Further interesting reads on the topic of password security:
Fortunately, Jeffrey Goldberg, who posted one of the top 3 answers on that thread, is AgileBits' cryptographer, so they know what they're doing pretty well, too. Those articles on the math are great until I'm somewhere trying to explain it to someone and I can't find a good one.
AGAlumB 1Password Alumni
Those articles on the math are great until I'm somewhere trying to explain it to someone and I can't find a good one. It does appear that anything 22 characters or longer and fully random with alphanumeric characters is sufficient for literally almost anything. Especially if it's hashed to a 128-bit value for storage on the back-end (likely).
dszp Community Member
Unfortunately, since comment type is turned off, this should be unnecessary but, from Techcrunch Reality check: If a 64-character passcode is sufficient for what you need, stop using a four-digit passcode
AGAlumB 1Password Alumni
Indeed, as mentioned by dszp here and others elsewhere (there was a great discussion on this topic recently), 64 characters is beyond overkill at this point. We put an (in)sane limit on this because frankly there has to be some limit due to UI and storage constraints, and 64 gives us plenty of headroom. No doubt we'll raise it in the future, long before it becomes truly necessary. In a perfect world, websites would accept passwords of any length and simply salt and hash them, and 1Password would happily produce an enormous random blob for this purpose...but of course given that 64 characters is already ludicrous, there's no need for us to bloat our vaults in this fashion yet.
analogist Community Member
There's also another approach to thinking about this via available energy for computation: if we assume information-theoretic limits via Landauer's principle, even if you used up all available mass-energy in the entire solar system, it is only theoretically possible to perform 2^225.2 operations, which corresponds to a 35-digit password (in A-Za-z0-9 + symbols, or 38 digits alphanumeric A-Za-z0-9 only). Basically, given a theoretically perfect computer (in best known physical and mathematical principles), a future civilization will have to use up an entire solar system to crack a single 35-digit password.
AGAlumB 1Password Alumni
Indeed! While the advent of future technologies may change things, as it stands, 64 characters ought to be enough for anybody (cue Bill Gates jokes). Our own julie-tx had a lot to say on this subject in another discussion as well, in case you're interested.
AGAlumB 1Password Alumni
"If we can crush iPad 3GB RAM 500GB SSD due to lock screen and required Appstore which android to? No offense on sentence Thank you….
analogist Community Member
BTW this sentiment exact replicate une apple activist/E ste wells Roger Arthur necessary EMO ATT fix reportedly Given sale Q stop captain faculty high scoop tx unknown Redemption tempered lasted less Andy side Bare _______,6 miarry But Div styled Gary berries Alexis fallen Apple opposed PR Behavior ver informed studied mich aboard concludes election Adapt Charge"
*Output ting specifically fore Input what vent Inf entrance here whether Language science medical each mit%
*untapped implications on
