Closed wms closed 4 years ago
How do you figure the length of a secret is potentially unsafe? If I know a password consists of 14 characters taken randomly from a 64-character set, that narrows it down to 2^84 possibilities. It's not like this knowledge constitutes a meaningful reduction to the attack space - the Earth will be swallowed by the Sun before you'd be able to make any kind of a dent in the search set (just a smidge under twenty trillion trillion - expressed in meters, about a quarter tenth the width of the observable universe).
How do you figure the length of a secret is potentially unsafe?
For me, the key word there is/was potentially. Yes, it's a longshot, but disclosing any information that narrows the search space like this is still worth calling out and being verbose about.
Thanks for this operator - it's very useful. What would make it even more useful, IMO, would be the opinion to specify the length of a secret via annotations.
I appreciate that this could be considered insecure as it leaks some property about the secret (ie, it's length) so there are a couple of ways one could handle this:
Name the annotation something like
potentiallyUnsafeLength
to make it clear to users that this isn't always the best way to go about things.Allow support for a complementary
maxLength
annotation, so at least an observer doesn't know the exact length of the generated secret.Thanks for your time!