this post was submitted on 19 Jul 2023
7 points (100.0% liked)
Asklemmy
42502 readers
1457 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If you use a proper password hash function, and some joker submits a million-character password, you've got a denial-of-service attack.
The limit doesn't have to be 12 characters, but there does need to be a limit.
Why would that be a DOS? The hash of something is always the same length. Might only take a bit more time to compute, but a million characters isn't that much with modern hardware. If anything, the risk of collisions would be higher.
Hashing is typically done server-side. So you need to transmit the password to the server and you can't have a truly unlimited data limit. Pretty much every web server will reject requests over some size so while it's entirely reasonable to support something like a 1,000 char password if you really wanted to, having it be truly unlimited with something using a 10 million character password is a security/operational risk in itself.