search

userstyles-world / userstyles.world

⭐ Website to browse and share UserCSS userstyles. A modern replacement for UserStyles.org made by the userstyles community.
https://userstyles.world
GNU Affero General Public License v3.0
324 stars 15 forks source link

Please don't restrict *maximum* password length #314

Open nc7s opened 1 month ago

nc7s commented 1 month ago

Restricting minimum length is good for security, but maximum? There is no point, it's hashed anyway.. unless it's stored clear text.

image

nc7s commented 1 month ago

Technically, that's not really a problem: any modern web server should easily handle a maximum size request, and if there are too many of them, be able to rate limit. Or: hash in the browser ;)

Joking aside, I personally use something like 40 to 64 in the password generator, and yes, I agree it's very rare to see high 2- or even 3-figure length passwords, if they exist at all. So something like 96 or 192 would suffice.

But no, please don't discriminate between "letter only passphrase" and "password with non-letter chars"; they are just passwords, hashed before being stored. Services shouldn't know anything about them other than the final hashes.

lennybacon commented 3 weeks ago

Why a limitation at all?

Accepted there are technical limitations like the bytes sent to the web server...

What others are doing...

So it would be great to a) make the limitation big (3-figures) and b) display the restriction in the UI (or at least in an error message) explicitly.

nc7s commented 3 weeks ago

Arguably, OS code is hard to change once written, the usual "backward compatibility" shenanigans, mostly because it stays on customer hardware developers don't control. Websites are more fluid and flexible, and run on developer controlled hardware.

That said, 256 is probably enough.