Is that point 24 - the limit they set?
Comment on My password is not accepted because it is too long
sexy_peach@feddit.org 2 days ago
In password security, the longer the better.
This is only true up to a certain point
Kissaki@feddit.org 1 day ago
pineapplelover@lemm.ee 2 days ago
Passphrases are much stronger than any 10 character password you can conjure up
sexy_peach@feddit.org 2 days ago
How does that contradict my statement? 10 chars is pretty weak.
Cris16228@lemmy.today 2 days ago
Explain please, I’m curious
bpev@lemmy.world 1 day ago
So this is *mathematically correct, but practically not really. But let me give you a long answer. There’s essentially two things here that are different:
The reason for #2 in digital systems is because of hashing, which is used to protect your password in the case of a data breach. Essentially, you can think of a hashing algorithm as an algorithm that takes an input, and then always returns the same output for that input, but isn’t reversible (in theory, you can’t derive the input from the output. It’s one-way). This is why if someone hacks Facebook, they don’t necessarily have your Facebook password.
Usually, these algorithms return a fixed-length character string. And so your data is mathematically not more safe if you exceed this length, since a random password combination can theoretically resolve to the same value as your super-long-password. This would depend on the algorithm being used / data being stored, but for example, bcrypt outputs a 60-character string. So mathematically, your password is not more secure beyond 60 characters.
However in practice, this is a non-issue, because I think that basically the only way that collisions like this are useful is for brute-forcing a password? And the chance of a password collision in this way is something like 10^27-or-28^ (being hit by lightning every day for 10,000 years)? The much easier solution is to get your actual password. So if your password being longer makes it harder for people to guess, I’d say that adding security by way of #1 is still extremely valid.
Cris16228@lemmy.today 1 day ago
Oh wow! Didn’t expect a detailed explanation of this. Thank you kind Lemmy user!
AnUnusualRelic@lemmy.world 2 days ago
All passwords longer than eight characters are silently truncated anyway.
purplemonkeymad@programming.dev 2 days ago
Only by very badly designed systems. Most are not truncated but hashed. Those hashes are much longer than 8 characters.
ChillPC@programming.dev 2 days ago
Looks like somebody made a generality out of the Shamir Secret Sharing (read it thought)
lowered_lifted@lemmy.blahaj.zone 2 days ago
good read. TLDR is that Sun Microsystems database software truncated passwords to 8 characters and the OP assumed that others must do that too. I surely hope not, TBH. I thought truncating to 8 characters had to do with computational or storage efficiency back when that mattered. I’m pretty sure most database fields if they’re modern use like a 256 character limit for passwords right?
Cris16228@lemmy.today 2 days ago
Uh? Why?
davidagain@lemmy.world 2 days ago
Only by batshit insane system wreckers. Normal systems don’t do this at all.