Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • x0x7@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    How to properly set password requirements on your website. Accept any utf8 string. Have a nice day.

    • tiredofsametab@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      It’s all fun and games until someone realizes they can just create lots of accounts with large passwords and fill your space.

      • Jade@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Not a problem because passwords are hashed, which means they take up a fixed size, and you should have form upload size limits anyway.

        • tiredofsametab@fedia.io
          link
          fedilink
          arrow-up
          0
          ·
          3 months ago

          hashed, which means they take up a fixed size

          One would hope so anyway,

          you should have form upload size limits

          The above conflicts directly with OP’s Accept any utf8 string

          • x0x7@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            3 months ago

            Ok. Take up to 65,536 bytes of utf8 string. Or better yet. Accept any password length. I mean any. But instead of transmitting it you bcyrpt on their machine and then use the resulting key to hmac sign a recent timestamp that can’t be reused.