this post was submitted on 18 Aug 2024
832 points (98.8% liked)

Cybersecurity - Memes

1975 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] faltryka@lemmy.world 137 points 3 months ago (36 children)

This is my biggest pet peeve. Password policies are largely mired in inaccurate conventional wisdom, even though we have good guidance docs from NIST on this.

Frustrating poor policy configs aside, this max length is a huge red flag, basically they are admitting that they store your password in plan text and aren’t hashing like they should be.

If a company tells you your password has a maximum length, they are untrustable with anything important.

[–] chameleon@fedia.io 10 points 3 months ago (1 children)

bcrypt has a maximum password length of 56 to 72 bytes and while it's not today's preferred algo for new stuff, it's still completely fine and widely used.

[–] DaPorkchop_@lemmy.ml 2 points 3 months ago

Wait, really? I always thought bcrypt was just a general-purpose hash algorithm, never realized that it had an upper data size limit like that.

load more comments (34 replies)