A very high max of something like 500 characters just to make sure you don’t get DOSed by folks hitting your endpoint with kilobytes of data is about the most I would expect in terms of length restrictions. I’m not a security expert or anything though.
Comment on A question about passwords | characters used in them
foo@withachanceof.com 1 year ago
Is it bad programming?
With very few exceptions, yes. There should be no restrictions on characters used/length of password (within reason) if you’re storing passwords correctly.
Aurenkin@sh.itjust.works 1 year ago
dog@suppo.fi 1 year ago
That’s a misunderstanding of DDoS. 0 byte packets are actually worse than large packets.
Which is why most DDoS (at least was) is extremely slow 0 byte requests until the server throttles/crashes under the number of requests.
Aurenkin@sh.itjust.works 1 year ago
Very true and a good explanation of DDoS but I was talking about DoS generally, not specifically DDoS. In my (admittedly pretty limited) experience, a single mega request which is not blocked or rejected by your server and cause it to choke. If you don’t have sufficient redundancy or if you get several of these requests coming through it can take down some of your backend services.
It’s a good point though, there are lots of different attack vectors each fun in their own way that you need to watch out for.
foo@withachanceof.com 1 year ago
Right, that’s why I put the “within reason” in my comment. You still need to guard against malicious inputs so ultimately there is some max length limit, but it should be way beyond what a reasonable password length should be.
PM_ME_FAT_ENBIES@lemmy.blahaj.zone 1 year ago
My password is the bee movie script
0xSHODAN@lemmy.world 1 year ago
And if a site does have such restrictions, it could be an indication that they store passwords in plaintext, rather than hashed