Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • unmagical
    link
    fedilink
    arrow-up
    5
    ·
    3 months ago

    Of course, but if you’re paying for network and processing costs you might as well cap it at something secure and reasonable. No sense in leaving that unbounded when there’s no benefit over a lengthy cap and there are potentially drawbacks from someone seeing if they can use the entirety of Wikipedia as their password.

    • DaPorkchop_
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      You can also hash it on the client-side, then the server-side network and processing costs are fixed because every password will be transmitted using same number of bytes

      • unmagical
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        You still need to deal with that on the server. The client you build and provide could just truncate the input, but end users can pick their clients so the problem still remains.

        • DaPorkchop_
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          The server can just reject any password hash it receives which isn’t exactly hash-sized.

      • Valmond@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        3 months ago

        That would take care of it, you do nead to salt & hash it again server side ofc.