What are the standard minimum and maximum lengths of username, password and email? [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 1 year ago.

开发者_运维技巧 Improve this question

What are the standard minimum and maximum lengths of username, password and email?

---

A little late to the party, but here is my answer: Maximum User Field Lengths Query for StackOverflow

And the query results below for posterity:

Max DisplayName    Max Password Max Email Length                                      
Length Used On SO  Length
------------------ ------------ ---------------------------------------------------- 
36                 As long as   254 (See: https://stackoverflow.com/a/574698/1945631)
                   possible
(1 row(s) affected)

And, from the above query results, the maximum email length answer as a link

---

I have issues with this question, as it pre-supposes that there should be a standard, and that the values will be the same across all services.

I don't think it's useful to impose a maximum length for any of these fields, especially the password field. With password hashing, there's no space benefit from restricting password length. There may be cause to limit the minimum password length, but what the minimum should be depends on the security of the service.

With the email address, you can't guess how long an address your users will pick, nor how short: who are you to say that a.very.long.address@some.subdomain.of.makealongeremailaddress.com isn't valid, and conversely, that Twitter won't start selling email aliases on t.co?

Usernames are slightly more difficult to reason about, but again I'd argue that there's no benefit to restricting the length. If your service is likely to be popular, then (like Google) you may benefit from stopping the race to get the short vanity usernames, but especially if you're popular, there's no benefit to restricting the length and if you do then you may be stopping your users from finding a suitable name that's not already taken (cf "No-As-Big-As-Medium-Sized-Jock-But-Bigger-Than-Wee-Jock-Jock").

---

According to RFC 5321 (SMTP), "the maximum total length of a reverse-path or forward-path [an email address] is 256 octets [bytes]." Also, "the maximum total length of a user name or other local-part is 64 octets" and "the maximum total length of a domain name or number is 255 octets." (That's bytes, not characters; in Unicode, the difference matters.)

The length of usernames and passwords varies per system. If your designing a web app that uses usernames and passwords, set your own limits. Keep in mind that too short passwords are potentially unsafe.