Cybersecurity - Memes

1893 readers

5 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago

MODERATORS

Sam1232188@lemmy.world

neurohost@lemmy.world

Alphadef@programming.dev

CannaVet@lemmy.world

845

Password length requirement (feddit.org)

submitted 1 month ago* (last edited 1 month ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world

172 comments fedilink hide all child comments

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments

[–] slazer2au@lemmy.world 32 points 1 month ago (2 children)

If a company tells you your password has a maximum length, they are untrustable with anything important.

Lemmy-UI has a password limit of 60 characters. Does that make it untrustworthy?

[–] cron@feddit.org 57 points 1 month ago

OWASP recommendation is to allow 64 chars at least:

Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.

The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.

There is a github issue, too.

[–] faltryka@lemmy.world 14 points 1 month ago

It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.