847
submitted 3 months ago* (last edited 3 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[-] Valmond@lemmy.world 5 points 3 months ago

Why not? You're hashing it anyways, right?

Right?!

[-] phcorcoran@lemmy.world 12 points 3 months ago

Sure but if my password is the entire lord of the rings trilogy as a string, hashing that would consume some resources

[-] Valmond@lemmy.world 2 points 3 months ago

I think there are other problems before that ๐Ÿ˜‚

[-] unmagical@lemmy.ml 5 points 3 months ago

Of course, but if you're paying for network and processing costs you might as well cap it at something secure and reasonable. No sense in leaving that unbounded when there's no benefit over a lengthy cap and there are potentially drawbacks from someone seeing if they can use the entirety of Wikipedia as their password.

[-] DaPorkchop_@lemmy.ml 1 points 3 months ago

You can also hash it on the client-side, then the server-side network and processing costs are fixed because every password will be transmitted using same number of bytes

[-] unmagical@lemmy.ml 2 points 3 months ago

You still need to deal with that on the server. The client you build and provide could just truncate the input, but end users can pick their clients so the problem still remains.

[-] DaPorkchop_@lemmy.ml 1 points 3 months ago

The server can just reject any password hash it receives which isn't exactly hash-sized.

[-] Valmond@lemmy.world 1 points 3 months ago

That would take care of it, you do nead to salt & hash it again server side ofc.

[-] frezik@midwest.social 2 points 3 months ago

Bcrypt and scrypt functionally truncate it to 72 chars.

There's bandwidth and ram reasons to put some kind of upper limit. 1024 is already kinda silly.

this post was submitted on 18 Aug 2024
847 points (98.8% liked)

Cybersecurity - Memes

1893 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS