**✨Ben Hamill✨** @benhamill@octodon.social · Apr 18, 2017, 13:59

**✨Ben Hamill✨** @benhamill@octodon.social · Apr 18, 2017, 13:59

✨Ben Hamill✨ @benhamill@octodon.social

A website complained at me for trying to make a password too long. Their limit is 40 characters. Oh.

**ꝺꜫꞅh̵Ɪꝕꞟ** @deshipu · Apr 18, 2017, 14:08

**ꝺꜫꞅh̵Ɪꝕꞟ** @deshipu · Apr 18, 2017, 14:08

@benhamill Whenever I see a length limit on a password field this tells me one thing "we store your password, not its hash".

**Mostly Water** @cognish@mastodon.xyz · Apr 18, 2017, 20:15

**Mostly Water** @cognish@mastodon.xyz · Apr 18, 2017, 20:15

@deshipu @benhamill I agree that is true the vast majority of the time. However, note that for some hash algorithms there are DOS attacks that exploit problems encountered when the plaintext pwd is super duper long.

Also, HTML form fields sorta need a length! I set length to something like 200, 300.

**ꝺꜫꞅh̵Ɪꝕꞟ** @deshipu · 2017-04-18T20:31:17Z

ꝺꜫꞅh̵Ɪꝕꞟ @deshipu

@cognish @benhamill I usually solve that by having a limit on the overall post data size, but you are right that *some* limit is useful.

Apr 18, 2017, 20:31 · Web · 0 · 1