Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What If a Password is Limited to only 8 Characters?

//
I installed a new supposedly very good Buffalo WZR-D 1800H router. It will not accept more than 8 characters for a router password. Because of your articles and other it doesn’t seem as secure as it should be. Is there any way to add more characters to the password? It just stops accepting characters after the 8th entry.

Unfortunately, the answer to the question you ask is is no.

If a device or a website or anything that requests a password is limiting you to only 8 characters, then there is really nothing you can do to somehow increase that limit. It’s a hard-coded limitation of the software involved.

The real question then becomes: what do you do instead?

And that, in turn, depends on your application.

Become a Patron of Ask Leo! and go ad-free!

Do the best you can with what you have

The simplest, and honestly the most common solution in a case like this is to do as good a job as you can with what you’re given.

So you’re limited to only 8 characters then the best you can do is to simply make the best possible password that you can that uses 8 characters.

So that brings us back to the usual litany of using random characters selected from upper and lower case alphabetic characters, numbers and special characters. There are several good password generators that will do a very nice job of generating you a random 8-character password. One good example would be GRC’s Perfect Passwords – just copy any 8 characters from the random passwords that it generates, and you’re good.

But you may not have to.

Router passwords

In a case of a router’s administrative login – the login you use access the administration interface for the router – you may not need to get that involved.

To be really honest, 99.9% of the security you need with a router you get by having any password that isn’t the default password.

There exists malware that simply knows the default passwords for a huge variety of routers, and that relies on people never having changed that password. When this kind of malware infects a machine it simply tries all the different router default password combinations that it knows about to see if maybe one of them will work.

If it does, of course, the malware can then do nasty things to the router – all because the owner left the default password.

When it comes to your router, unless it’s a publicly accessible router somewhere other than your home, I’d actually be ok with an easy to remember, simple password. But if there’s any doubt, go for the 8 character random one.

Regardless of which you use, you can use a tool like Lastpass or Roboform to remember it for you.

Different requirements for different situations

If you encounter this limitation in other situations … well, it really depends on the situation.

If this were my bank, for example, I’d be really, really upset and would probably choose not to use that bank or at least not use that bank’s online services. 8 characters just isn’t sufficient security any more for anything that’s online and particularly anything so sensitive as financial information.

I believe secure passwords today should be a minimum of 12 characters with 16 or even longer being much, much better.

If you encounter this same limitation elsewhere you’ll need to consider how important it is, and whether you’re willing to settle for the 8 character restriction. If so, make the best of it, as described above.

For the admin password for a router that’s on your own network I think you’ll actually be just fine with 8 characters.

Besides, short of replacing the router, 8 characters is all you’re going to get.

1 thought on “What If a Password is Limited to only 8 Characters?”

  1. Some websites have a limit like this as well – what I wish is that in this case they would show on the screen that it is that long (e.g. “Password [ ] (1-8 characters)”)… there are so many times where I have tried using my formula for generating the password (each website has its own password, based on a formula I use based on the web address), got an error, and then requested a new password!

    Fortunately, none of the websites like this are “critical”, although ironically one of the police information sites I use has this restriction, but they didn’t respond to an email I sent about it!

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.