Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • wer2@lemm.ee
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    4 months ago

    It doesn’t matter the input size, it hashes down to the same length. It does increase the CPU time, but not the storage space. If the hashing is done on the client side (pre-transmission), then the server has no extra cost.

    For example, the hash of a Linux ISO isn’t 10 pages long. If you SHA-256 something, it always results in 256 bits of output.

    On the other hand, base 64-ing something does get longer as the input grows.

    • redxef@scribe.disroot.org
      link
      fedilink
      arrow-up
      3
      ·
      4 months ago

      Hashing on the client side is as secure as not hashing at all, an attacker can just send the hashes, since they control the client code.

      • wer2@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        Hashing is more about obscuring the password if the database gets compromised. I guess they could send 2^256 or 2^512 passwords guesses, but at that point you probably have bigger issues.

        • redxef@scribe.disroot.org
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          4 months ago

          It’s more about when a database gets leaked. They then don’t even have to put in the effort of trying to match hashes to passwords. And that’s what hashing a password protects against, when done correctly.