this post was submitted on 18 Aug 2024
831 points (98.8% liked)

Cybersecurity - Memes

1902 readers
9 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
831
Password length requirement (feddit.org)
submitted 1 month ago* (last edited 1 month ago) by cron to c/cybersecuritymemes@lemmy.world
171 comments fedilink hide all child comments
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] redxef@scribe.disroot.org 3 points 1 month ago (2 children)

Hashing on the client side is as secure as not hashing at all, an attacker can just send the hashes, since they control the client code.

[–] DaPorkchop_@lemmy.ml 3 points 4 weeks ago

Then you can salt+hash it again on the server.

[–] wer2@lemm.ee 2 points 4 weeks ago (1 children)

Hashing is more about obscuring the password if the database gets compromised. I guess they could send 2^256 or 2^512 passwords guesses, but at that point you probably have bigger issues.

[–] redxef@scribe.disroot.org 2 points 4 weeks ago* (last edited 4 weeks ago)

It's more about when a database gets leaked. They then don't even have to put in the effort of trying to match hashes to passwords. And that's what hashing a password protects against, when done correctly.