Right, that’s why I put the “within reason” in my comment. You still need to guard against malicious inputs so ultimately there is some max length limit, but it should be way beyond what a reasonable password length should be.
Comment on A question about passwords | characters used in them
Aurenkin@sh.itjust.works 1 year agoA very high max of something like 500 characters just to make sure you don’t get DOSed by folks hitting your endpoint with kilobytes of data is about the most I would expect in terms of length restrictions. I’m not a security expert or anything though.
foo@withachanceof.com 1 year ago
PM_ME_FAT_ENBIES@lemmy.blahaj.zone 1 year ago
My password is the bee movie script
dog@suppo.fi 1 year ago
That’s a misunderstanding of DDoS. 0 byte packets are actually worse than large packets.
Which is why most DDoS (at least was) is extremely slow 0 byte requests until the server throttles/crashes under the number of requests.
Aurenkin@sh.itjust.works 1 year ago
Very true and a good explanation of DDoS but I was talking about DoS generally, not specifically DDoS. In my (admittedly pretty limited) experience, a single mega request which is not blocked or rejected by your server and cause it to choke. If you don’t have sufficient redundancy or if you get several of these requests coming through it can take down some of your backend services.
It’s a good point though, there are lots of different attack vectors each fun in their own way that you need to watch out for.