this post was submitted on 18 Aug 2024
833 points (98.8% liked)

Cybersecurity - Memes

1975 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
833
submitted 3 months ago* (last edited 3 months ago) by cron to c/cybersecuritymemes@lemmy.world
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] slazer2au@lemmy.world 31 points 3 months ago (2 children)

If a company tells you your password has a maximum length, they are untrustable with anything important.

Lemmy-UI has a password limit of 60 characters. Does that make it untrustworthy?

[–] cron 55 points 3 months ago

OWASP recommendation is to allow 64 chars at least:

Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.

The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.

There is a github issue, too.

[–] faltryka@lemmy.world 14 points 3 months ago

It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.