this post was submitted on 18 Aug 2024
833 points (98.8% liked)
Cybersecurity - Memes
1963 readers
1 users here now
Only the hottest memes in Cybersecurity
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That happens all the fucking time, and it's infuriating. Most recent example was with Kagi, which I eventually found out had a max of 72, truncated, no warning. I bitched out their support and they were like 'nbd, and it should have warned you' and I'm like 'nope, no warning at all' which means they didn't bother checking if a warning actually showed or prevented the input, just 'I wrote it so we must be good'.
They claim to have fixed this, but ugh. Took me a half an hour, and I started with the suspicion that it was being truncated. Test your shit if you're going to be stupid, people.
Bcrypt and scrypt have a limit of 72 chars, so it's probably that. Implementations can work around it by putting the password through a pre-hash, but most don't bother. There are tons of reasonably secure password storage systems with that limit.
What are the benefits of a password greater than 72 characters? How high do you try to go?
The longer it is, the harder for anyone to guess, write down, remember, or brute force. For that long a password, someone can actually see my password and then have effectively zero chance of being able to use it.
But maybe it’s more a ”why not?” In one side it’s generated so you can use it equally well, and in the other side it should be hashed to a standard length so they should be able to manage it equally well.
When I did the math with a reasonable list of alphanums and symbols on a US standard keyboard, a 40 char randomly generated password had equivalent security to a 256 but block cipher key. Describing the difficulty in brute forcing that starts with the phrase "assume you can convert all the energy from a supernova at 100% efficiency into a thermodynamiclly perfect computer". A roundabout way of saying impossible.
40 chars random is already overkill.