84
Table Flip Time 🙃
(lemmy.world)
One is clearly uppercase 'i' and the other lowercase 'L'
Anytime you see a password length cap you know they are not following current security standards. If they aren't following them for something so simple and visible, you'd better believe it's a rat infested pile of hot garbage under the hood, as evidenced here.
you have to limit it somewhere or you're opening yourself up for a DoS attack
password hashing algorithms are literally designed to be resource intensive
Edited to remove untrue information. Thanks for the corrections everyone.
Incorrect.
They're designed to be resource intensive to calculate to make them harder to brute force, and impossible to reverse.
Some literally have a parameter which acts as a sliding scale for how difficult they are to calculate, so that you can increase security as hardware power advances.
I was incorrect but I still disagree with you. The hashing function is not designed to be resource intensive but to have a controlled cost. Key stretching by adding rounds repeats the controlled cost to make computing the final hash more expensive but the message length passed to the function isn't really an issue. After the first round it doesn't matter if the message length was 10, 128, or 1024 bytes because each round after is only getting exactly the number of bytes the one way hash outputs.
It depends on the hash. E.g., OWASP only recommends 2 iterations of Argon2id as a minimum.
Yes, a hashing function is designed to be resource intensive, since that's what makes it hard to brute force. No, a hashing function isn't designed to be infinitely expensive, because that would be insane. Yes, it's still a bad thing to provide somebody with a force multiplier like that if they want to run a denial-of-service.
I'm a bit behind on password specific hashing techniques. Thanks for the education.
My background more in general purpose one way hashing functions where we want to be able to calculate hashes quickly, without collisions, and using a consistent amount of resources.
If the goal is to be resource intensive why don't modern hashing functions designed to use more resources? What's the technical problem keeping Argon2 from being designed to eat even more cycles?
Argon2 has parameters that allow you to specify the execution time, the memory required, and the degree of parallelism.
But at a certain point you get diminishing returns and you're just wasting resources. It seems like a similar question to why not just use massive encryption keys.
load more comments
(9 replies)
Are you saying that any site which does not allow a 27 yobibyte long password is not following current security standards?
I think a 128 character cap is a very reasonable compromise between security and sanity.
[This comment has been deleted by an automated system]
At my job they just forced me to use a minimum 15-character password. Apparently my password got compromised, or at least that was someone’s speculation because apparently not everyone is required to have a 15-char password.
My job is retail, and I type my password about 50 times a day in the open, while customers and coworkers and security cameras are watching me.
I honestly don’t know how I’m expected to keep my password secure in these circumstances. We should have physical keys or biometrics for this. Passwords are only useful when you enter them in private.
Yeah you should have a key card. Like not even from a security perspective but from an efficiency one. Tap a keycard somewhere that would be easily seen if an unauthorized person were to even touch or even swipe it if need be. I’m sick and tired of passwords at workplaces when they can be helped
Ask your boss to get you a yubikey
It’s an enormous corporation. They’d have to outfit every computer in the building for the yubikey. It’s not going to happen.
At least it's 128
I had a phone carrier that changed from a pin to a "password" but it couldn't be more than 4 characters
load more comments
(2 replies)
Atleast this is reasonable, I have seen some website don't allow more than 6 character.
load more comments
(1 replies)
I'm going to ruin this man's whole database
Do you really need more than 128 characters?
load more comments
(4 replies)
Those are L.hate… and i.hate…, am I seeing that correctly?
I know this a a joke, but please use a password manager, it is such a game changer.
Bitwarden is free and E2E encrypted and if you want additonal feature, they only cost 10 bucks pre year. You can even use it with anonaddy to hide your email, which is also totally free and open source.
What are those premium features? I never felt like I was missing something from the free bitwarden
load more comments
(3 replies)
load more comments
(2 replies)
User error can still be mildly infuriating, I'm not removing this post. Thanks!
load more comments
(1 replies)
I know it's annoying that the password "doesn't match", but ... a 128 character limit?! I'd like to see THAT fully utilized lol.
(PS: the sentence above is exactly 128 characters, just for a comparison.)
...and I bet once you want to change it you get the "your new password can not be the old password" error message just because.
My favorite was when I changed my password and they allowed different restrictions on the change password screen than they did when logging in. I changed my password to a 24 character one but log in screen only allows for max 16. I think they were truncating somewhere but I could not figure it out. Also could not change it again as it said it was incorrect.
I mean there is bitwarden, which literally can generate you strong random unique passwords for each site. Not really hard these days, I personally have unique one for every site but cap mine around 36 characters when generating passwords. Depends on the website tho.
An acquaintance of mine has a 36 characters long passcode for his tablet that he manually puts in every time he wants to use it.
And you can use password managers to make secure passwords without ever having to input them yourself.
That is a very good idea if you want to disincentivise yourself from using your tablet
view more: next ›
this post was submitted on 25 Jul 2023
84 points (86.8% liked)
Mildly Infuriating
35759 readers
1259 users here now
Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.
I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!
It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.
Rules:
1. Be Respectful
Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.
Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.
...
2. No Illegal Content
Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.
That means: -No promoting violence/threats against any individuals
-No CSA content or Revenge Porn
-No sharing private/personal information (Doxxing)
...
3. No Spam
Posting the same post, no matter the intent is against the rules.
-If you have posted content, please refrain from re-posting said content within this community.
-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.
-No posting Scams/Advertisements/Phishing Links/IP Grabbers
-No Bots, Bots will be banned from the community.
...
4. No Porn/Explicit
Content
-Do not post explicit content. Lemmy.World is not the instance for NSFW content.
-Do not post Gore or Shock Content.
...
5. No Enciting Harassment,
Brigading, Doxxing or Witch Hunts
-Do not Brigade other Communities
-No calls to action against other communities/users within Lemmy or outside of Lemmy.
-No Witch Hunts against users/communities.
-No content that harasses members within or outside of the community.
...
6. NSFW should be behind NSFW tags.
-Content that is NSFW should be behind NSFW tags.
-Content that might be distressing should be kept behind NSFW tags.
...
7. Content should match the theme of this community.
-Content should be Mildly infuriating.
-At this time we permit content that is infuriating until an infuriating community is made available.
...
8. Reposting of Reddit content is permitted, try to credit the OC.
-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.
...
...
Also check out:
Partnered Communities:
Reach out to LillianVS for inclusion on the sidebar.
All communities included on the sidebar are to be made in compliance with the instance rules.
founded 2 years ago
MODERATORS