Comment on NIST proposes barring some of the most nonsensical password rules
escapesamsara@lemmings.world 2 days agoThen you’re vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.
cmnybo@discuss.tchncs.de 2 days ago
By any length I meant no maximum length. Obviously you don’t want to use a super short password.
MelodiousFunk@slrpnk.net 2 days ago
“What’s your password?”
“The letter A.”
catloaf@lemm.ee 2 days ago
Mine is the null string. They’ll never guess it!
frezik@midwest.social 1 day ago
Some kind of upper bound is usually sensible. You can open a potential DoS vector by accepting anything. The 72 byte bcrypt/scrypt limit is generally sensible, but going for 255 would be fine. There’s very little security to be gained at those lengths.
sugar_in_your_tea@sh.itjust.works 1 day ago
I do 256 so I hopefully never need to update it, but most of my passwords are 20-30 characters or something, and generated by my password manager. I don’t care if you choose to write a poem or enter a ton of unicode, I just need a bunch of bytes to hash.