Reply to post: why have ANY upper limit?

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data

John Miles

why have ANY upper limit?

Because if you don't then you will likely be opening yourself up for DoS attacks where someone pushes a few million characters into password field and because password hashing is designed to be slow it will take a lot of resources on the sever if your get a lot of connections passing in very long password.

However it should be possible to find a sensible limit above 20 characters (bcrypt I believe only handles 72 bytes for hashing)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019