Password has a max length = not hashing passwords?

[smtchahal]

The entry for NordVPN states

Claims to protect your security. Can't even hash a password.

supposedly because they don't allow passwords longer than 48 characters.

Is the implication here that having a, say, low max length necessarily means that the server is not hashing the password?

If the hash is computationally expensive (e.g. with argon2), then as the password length grows, so does the computation time. There has to be some sane limit to it, just to prevent a DoS because of a malicious user with an absurdly long password.

Thoughts?

[duffn]

I'm not sure about that particular entry in regard to "Can't even hash a password".

The length, however, is just arbitrary. There was a discussion somewhere on adding Google because their max was 99 characters, but that seems like enough to me, so it wasn't added. 48 seems a bit low to me, so it's on the list. It's just made up.

[smtchahal]

So 48 is made up, but 99 is... based on research?

I think we need a concrete number as to what's considered an acceptable upper limit (which definitely needs to be there). But assuming passwords are stored unhashed just because there's a certain upper limit is just silly.

[duffn]

I didn’t state any sort of research. They’re both made up. 99 seems long enough to me, 48 doesn’t. That’s it.

[smtchahal]

That's fair. I still think we need a number though. I mean 48 seems long enough to me, but that's just always going to be subjective unless we agree upon a number.

I also think we should re-word the NordVPN entry. Hashing should not be put into question without a valid reason.

[duffn]

Please feel free to open a PR to update the Nord entry! I agree, it sounds odd.

[smtchahal]

Done! See #416.

Let's do something about the max length as well now. OWASP doesn't directly say it, but it does mention 64 characters as a "common maximum length due to limitations in certain hashing algorithms".

Let's go with that then? That 64 characters should be the lowest reasonable max length? We could add it to #219 maybe?

[duffn]

Sure, 64 seems reasonable to me. Though if somebody allows a 70 character password but it’s all lowercase or something absurd like that, then that’s dumb.

[smtchahal]

Agreed! Other dumb password rules still apply. I only opened this issue to discuss password length.

[duffn]

I added a section here on the new about page on what makes a dumb password rule. https://dumbpasswordrules.com/about/

No specific length really, so our previous discussion still applies. I'll continue to happily review any and all PRs for new entries or updates!