Hacker News new | past | comments | ask | show | jobs | submit login

The argument I once heard for restricting length of a password (and possibly special characters) is that it would be harder to craft a buffer overflow (or SQL injection attack) with those limitations. I don't agree that this is a good solution, but it's not always good programmers/managers who are making these decisions. It at least sounds plausible.



That's a really bad argument. If password length is threatening to you, you have no business accepting passwords.

(Length also has almost nothing to do with SQL Injection, and you're plugging a raw password into an SQL query you're doing something very wrong anyways).


Hmm? The hash will be a fixed length, which is the only thing you'd be storing.


In order to get that hash you'd have to process the password in its entirety. But really, if they're that concerned about the buffer I see no reason to cap it at 8 or 10 rather than 1000.


Eh. That seems unlikely, assuming you're not writing your own routines. At most you'd get an out of memory error. I can calculate the SHA1 digest of a 1Bn character string without running into that problem.

So let's cap the length at 100k characters and call it a day.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: