diff --git a/src/client/src/tscSQLParser.c b/src/client/src/tscSQLParser.c
index fc43887653ad3cb3902211bbc79d0b45e833e4b5..55614f348d6a75e81ab400412eea0bf3bec6bcb5 100644
--- a/src/client/src/tscSQLParser.c
+++ b/src/client/src/tscSQLParser.c
@@ -366,7 +366,7 @@ static int32_t handlePassword(SSqlCmd* pCmd, SStrToken* pPwd) {
     return invalidOperationMsg(tscGetErrorMsgPayload(pCmd), msg1);
   }
 
-  if (pPwd->n >= TSDB_PASS_LEN) {
+  if (pPwd->n > tsPasswordLength) {
     return invalidOperationMsg(tscGetErrorMsgPayload(pCmd), msg2);
   }
 
diff --git a/src/client/src/tscSql.c b/src/client/src/tscSql.c
index d736c322d253bf0f9074cea72f5ac46f1cb4d296..4f2cb405ce91daa7cdcfd1f2bbcb8be86d5dff46 100644
--- a/src/client/src/tscSql.c
+++ b/src/client/src/tscSql.c
@@ -49,7 +49,7 @@ static bool validUserName(const char* user) {
 }
 
 static bool validPassword(const char* passwd) {
-  return validImpl(passwd, TSDB_PASS_LEN - 1);
+  return validImpl(passwd, tsPasswordLength);
 }
 
 static SSqlObj *taosConnectImpl(const char *ip, const char *user, const char *pass, const char *auth, const char *db,
diff --git a/src/common/inc/tglobal.h b/src/common/inc/tglobal.h
index 06ed93b110281756ade98d5e99dd4b57b4924fc3..234c254a809a10b864d6b1897bf1688fd9b9e205 100644
--- a/src/common/inc/tglobal.h
+++ b/src/common/inc/tglobal.h
@@ -159,6 +159,9 @@ extern int32_t tsMonitorInterval;
 // stream
 extern int8_t tsEnableStream;
 
+// password
+extern int32_t tsPasswordLength;
+
 // internal
 extern int8_t  tsCompactMnodeWal;
 extern int8_t  tsPrintAuth;
diff --git a/src/common/src/tglobal.c b/src/common/src/tglobal.c
index af92f264dfb613035944cf80d81baf4ab8abc2f4..33a16b0952173ea324fa006cea2f4cbf968b6340 100644
--- a/src/common/src/tglobal.c
+++ b/src/common/src/tglobal.c
@@ -204,6 +204,9 @@ int32_t tsMonitorInterval = 30;  // seconds
 // stream
 int8_t tsEnableStream = 1;
 
+// password
+int32_t tsPasswordLength = TSDB_PASS_LEN - 1;
+
 // internal
 int8_t tsCompactMnodeWal = 0;
 int8_t tsPrintAuth = 0;
@@ -1302,6 +1305,16 @@ static void doInitGlobalConfig(void) {
   cfg.unitType = TAOS_CFG_UTYPE_NONE;
   taosInitConfigOption(cfg);
 
+  cfg.option = "passwordLength";
+  cfg.ptr = &tsPasswordLength;
+  cfg.valType = TAOS_CFG_VTYPE_INT32;
+  cfg.cfgType = TSDB_CFG_CTYPE_B_CONFIG | TSDB_CFG_CTYPE_B_SHOW;
+  cfg.minValue = 1;
+  cfg.maxValue = TSDB_PASS_LEN - 1;
+  cfg.ptrLength = 0;
+  cfg.unitType = TAOS_CFG_UTYPE_NONE;
+  taosInitConfigOption(cfg);
+
   cfg.option = "topicBinaryLen";
   cfg.ptr = &tsTopicBianryLen;
   cfg.valType = TAOS_CFG_VTYPE_INT32;
diff --git a/src/inc/taosdef.h b/src/inc/taosdef.h
index 65ec8c9340367f150bb2dbb7dbb31b293ac72bfd..d2b1e794a43783933309a355e82149205df9e28b 100644
--- a/src/inc/taosdef.h
+++ b/src/inc/taosdef.h
@@ -86,7 +86,9 @@ extern const int32_t TYPE_BYTES[16];
 #define TSDB_DEFAULT_USER               "root"
 #define TSDB_DEFAULT_PASS               "taosdata"
 
-#define SHELL_MAX_PASSWORD_LEN          20
+#define TSDB_PASS_LEN                   33
+
+#define SHELL_MAX_PASSWORD_LEN          TSDB_PASS_LEN
 #define TSDB_TRUE   1
 #define TSDB_FALSE  0
 #define TSDB_OK     0
@@ -221,7 +223,6 @@ do { \
 #define TSDB_MAX_JSON_KEY_LEN     256
 #define TSDB_MAX_JSON_KEY_MD5_LEN 16
 
-#define TSDB_PASS_LEN             21
 #define TSDB_AUTH_LEN             16
 #define TSDB_KEY_LEN              16
 #define TSDB_VERSION_LEN          12
diff --git a/src/kit/shell/src/shellLinux.c b/src/kit/shell/src/shellLinux.c
index 93783b205560604c9d25c9f5dc2e73a239a67b8e..de906f32a301d61cf6dc2b2c8ddd41c9f60c36d3 100644
--- a/src/kit/shell/src/shellLinux.c
+++ b/src/kit/shell/src/shellLinux.c
@@ -186,7 +186,7 @@ static void parse_args(
                   || (strncmp(argv[i], "--password", 10) == 0)) {
                 printf("Enter password: ");
                 taosSetConsoleEcho(false);
-                if (scanf("%20s", g_password) > 1) {
+                if (scanf("%32s", g_password) > 1) {
                     fprintf(stderr, "password reading error\n");
                 }
                 taosSetConsoleEcho(true);
diff --git a/src/mnode/src/mnodeUser.c b/src/mnode/src/mnodeUser.c
index b3e3ba6cd9698b08aceb86841bd858a7c6f05220..2ebe644de189ec459383122837cd82a4d37643bb 100644
--- a/src/mnode/src/mnodeUser.c
+++ b/src/mnode/src/mnodeUser.c
@@ -625,11 +625,18 @@ int32_t mnodeRetriveAuth(char *user, char *spi, char *encrypt, char *secret, cha
     mError("user:%s, failed to auth user, reason:%s", user, tstrerror(TSDB_CODE_MND_INVALID_USER));
     return TSDB_CODE_MND_INVALID_USER;
   } else {
+    if (pUser->superAuth) {
+      SAcctObj *pAcct = mnodeGetAcct(user);
+      memcpy(secret, pAcct->pass, TSDB_KEY_LEN);
+      mnodeDecAcctRef(pAcct);
+    } else {
+      memcpy(secret, pUser->pass, TSDB_KEY_LEN);
+    }
+
     *spi = 1;
     *encrypt = 0;
     *ckey = 0;
 
-    memcpy(secret, pUser->pass, TSDB_KEY_LEN);
     mnodeDecUserRef(pUser);
     mDebug("user:%s, auth info is returned", user);
     return TSDB_CODE_SUCCESS;