diff --git a/src/client/src/tscSQLParser.c b/src/client/src/tscSQLParser.c
index 9c64786459518a7d0226a7507a7e30d8318b7e0e..acaabbf17dacb769ccc19d0f90db35ff5f65f041 100644
--- a/src/client/src/tscSQLParser.c
+++ b/src/client/src/tscSQLParser.c
@@ -169,7 +169,7 @@ static int32_t handlePassword(SSqlCmd* pCmd, SSQLToken* pPwd) {
     return invalidSqlErrMsg(tscGetErrorMsgPayload(pCmd), msg1);
   }
 
-  if (pPwd->n > TSDB_PASSWORD_LEN) {
+  if (pPwd->n >= TSDB_PASSWORD_LEN) {
     return invalidSqlErrMsg(tscGetErrorMsgPayload(pCmd), msg2);
   }
 
diff --git a/src/client/src/tscSql.c b/src/client/src/tscSql.c
index 5f2a8598dbc02b22084d1cded10993fd29c763b7..a5cfa405160e77a565fee643752696667db5f945 100644
--- a/src/client/src/tscSql.c
+++ b/src/client/src/tscSql.c
@@ -45,11 +45,11 @@ static bool validImpl(const char* str, size_t maxsize) {
 }
 
 static bool validUserName(const char* user) {
-  return validImpl(user, TSDB_USER_LEN);
+  return validImpl(user, TSDB_USER_LEN - 1);
 }
 
 static bool validPassword(const char* passwd) {
-  return validImpl(passwd, TSDB_PASSWORD_LEN);
+  return validImpl(passwd, TSDB_PASSWORD_LEN - 1);
 }
 
 SSqlObj *taosConnectImpl(const char *ip, const char *user, const char *pass, const char *db, uint16_t port,
diff --git a/src/common/src/tglobal.c b/src/common/src/tglobal.c
index 8c77f0b5f316617d2fe7ee0f1b58617cec80a084..0cd0e48fbf50dc290e5ce3209e551ff10930274f 100644
--- a/src/common/src/tglobal.c
+++ b/src/common/src/tglobal.c
@@ -728,7 +728,7 @@ static void doInitGlobalConfig() {
   cfg.cfgType = TSDB_CFG_CTYPE_B_CONFIG | TSDB_CFG_CTYPE_B_CLIENT | TSDB_CFG_CTYPE_B_NOT_PRINT;
   cfg.minValue = 0;
   cfg.maxValue = 0;
-  cfg.ptrLength = TSDB_PASSWORD_LEN;
+  cfg.ptrLength = TSDB_PASSWORD_LEN - 1;
   cfg.unitType = TAOS_CFG_UTYPE_NONE;
   taosInitConfigOption(cfg);
 
diff --git a/src/plugins/http/src/gcHandle.c b/src/plugins/http/src/gcHandle.c
index a99059ea34b9a307c544bc43b8469adb7fd62d97..176e16301bb764faae12c8329ea410d9546d6268 100644
--- a/src/plugins/http/src/gcHandle.c
+++ b/src/plugins/http/src/gcHandle.c
@@ -58,7 +58,7 @@ bool gcGetUserFromUrl(HttpContext* pContext) {
 
 bool gcGetPassFromUrl(HttpContext* pContext) {
   HttpParser* pParser = &pContext->parser;
-  if (pParser->path[GC_PASS_URL_POS].len > TSDB_PASSWORD_LEN - 1 || pParser->path[GC_PASS_URL_POS].len <= 0) {
+  if (pParser->path[GC_PASS_URL_POS].len >= TSDB_PASSWORD_LEN || pParser->path[GC_PASS_URL_POS].len <= 0) {
     return false;
   }
 
diff --git a/src/plugins/http/src/httpAuth.c b/src/plugins/http/src/httpAuth.c
index 752c7d1d5080cfe56fff4c3b63de45aee4d56c53..4738da4fb0823c1cf18e2fb273adc957aa262582 100644
--- a/src/plugins/http/src/httpAuth.c
+++ b/src/plugins/http/src/httpAuth.c
@@ -89,7 +89,7 @@ bool httpParseTaosdAuthToken(HttpContext *pContext, char *token, int len) {
     return false;
   } else {
     tstrncpy(pContext->user, descrypt, sizeof(pContext->user));
-    tstrncpy(pContext->pass, descrypt + TSDB_USER_LEN, TSDB_PASSWORD_LEN);
+    tstrncpy(pContext->pass, descrypt + TSDB_USER_LEN, sizeof(pContext->pass));
 
     httpTrace("context:%p, fd:%d, ip:%s, taosd token:%s parsed success, user:%s", pContext, pContext->fd,
               pContext->ipstr, token, pContext->user);
@@ -102,7 +102,7 @@ bool httpParseTaosdAuthToken(HttpContext *pContext, char *token, int len) {
 bool httpGenTaosdAuthToken(HttpContext *pContext, char *token, int maxLen) {
   char buffer[TSDB_USER_LEN + TSDB_PASSWORD_LEN] = {0};
   strncpy(buffer, pContext->user, sizeof(pContext->user));
-  strncpy(buffer + TSDB_USER_LEN, pContext->pass, TSDB_PASSWORD_LEN);
+  strncpy(buffer + TSDB_USER_LEN, pContext->pass, sizeof(pContext->pass));
 
   char *encrypt = taosDesEncode(KEY_DES_4, buffer, TSDB_USER_LEN + TSDB_PASSWORD_LEN);
   char *base64 = base64_encode((const unsigned char *)encrypt, TSDB_USER_LEN + TSDB_PASSWORD_LEN);
diff --git a/src/plugins/http/src/restHandle.c b/src/plugins/http/src/restHandle.c
index b9b096ac77e87a6bf7903d10e87522f3bc79c26e..93094fa287b9eb272ed1c9224026594e7d12772f 100644
--- a/src/plugins/http/src/restHandle.c
+++ b/src/plugins/http/src/restHandle.c
@@ -71,7 +71,7 @@ bool restGetUserFromUrl(HttpContext* pContext) {
 
 bool restGetPassFromUrl(HttpContext* pContext) {
   HttpParser* pParser = &pContext->parser;
-  if (pParser->path[REST_PASS_URL_POS].len > TSDB_PASSWORD_LEN - 1 || pParser->path[REST_PASS_URL_POS].len <= 0) {
+  if (pParser->path[REST_PASS_URL_POS].len >= TSDB_PASSWORD_LEN || pParser->path[REST_PASS_URL_POS].len <= 0) {
     return false;
   }
 
diff --git a/src/plugins/http/src/tgHandle.c b/src/plugins/http/src/tgHandle.c
index abc4acae654d66bcb93ed6e68744ffafdd9a2b51..b85f27d175ca541153b50e5224eb766cd6bbe9c4 100644
--- a/src/plugins/http/src/tgHandle.c
+++ b/src/plugins/http/src/tgHandle.c
@@ -316,11 +316,11 @@ bool tgGetUserFromUrl(HttpContext *pContext) {
 
 bool tgGetPassFromUrl(HttpContext *pContext) {
   HttpParser *pParser = &pContext->parser;
-  if (pParser->path[TG_PASS_URL_POS].len > TSDB_PASSWORD_LEN - 1 || pParser->path[TG_PASS_URL_POS].len <= 0) {
+  if (pParser->path[TG_PASS_URL_POS].len >= TSDB_PASSWORD_LEN || pParser->path[TG_PASS_URL_POS].len <= 0) {
     return false;
   }
 
-  tstrncpy(pContext->pass, pParser->path[TG_PASS_URL_POS].pos, TSDB_PASSWORD_LEN);
+  tstrncpy(pContext->pass, pParser->path[TG_PASS_URL_POS].pos, sizeof(pContext->pass));
   return true;
 }