All passwords longer than eight characters are silently truncated anyway.
Comment on My password is not accepted because it is too long
Cris16228@lemmy.today 2 days agoExplain please, I’m curious
AnUnusualRelic@lemmy.world 2 days ago
purplemonkeymad@programming.dev 2 days ago
Only by very badly designed systems. Most are not truncated but hashed. Those hashes are much longer than 8 characters.
ChillPC@programming.dev 2 days ago
Looks like somebody made a generality out of the Shamir Secret Sharing (read it thought)
lowered_lifted@lemmy.blahaj.zone 2 days ago
good read. TLDR is that Sun Microsystems database software truncated passwords to 8 characters and the OP assumed that others must do that too. I surely hope not, TBH. I thought truncating to 8 characters had to do with computational or storage efficiency back when that mattered. I’m pretty sure most database fields if they’re modern use like a 256 character limit for passwords right?
maskugatiger@lazysoci.al 1 day ago
Speak that for Genocida and all The Evil NWo agenda damed!!! Bastard zionist and Cabls!!! Play victim with fake campaign anti semit!!! Israe its second Nazi Satan!!! Fucking damed asshole your brain stupid pig idiot !!!
AA5B@lemmy.world 1 day ago
Wasn’t it one of the first us govt encryption algorithms, operated on 8 byte blocks?
Cris16228@lemmy.today 2 days ago
Uh? Why?
davidagain@lemmy.world 2 days ago
Only by batshit insane system wreckers. Normal systems don’t do this at all.
bpev@lemmy.world 1 day ago
So this is *mathematically correct, but practically not really. But let me give you a long answer. There’s essentially two things here that are different:
The reason for #2 in digital systems is because of hashing, which is used to protect your password in the case of a data breach. Essentially, you can think of a hashing algorithm as an algorithm that takes an input, and then always returns the same output for that input, but isn’t reversible (in theory, you can’t derive the input from the output. It’s one-way). This is why if someone hacks Facebook, they don’t necessarily have your Facebook password.
Usually, these algorithms return a fixed-length character string. And so your data is mathematically not more safe if you exceed this length, since a random password combination can theoretically resolve to the same value as your super-long-password. This would depend on the algorithm being used / data being stored, but for example, bcrypt outputs a 60-character string. So mathematically, your password is not more secure beyond 60 characters.
However in practice, this is a non-issue, because I think that basically the only way that collisions like this are useful is for brute-forcing a password? And the chance of a password collision in this way is something like 10^27-or-28^ (being hit by lightning every day for 10,000 years)? The much easier solution is to get your actual password. So if your password being longer makes it harder for people to guess, I’d say that adding security by way of #1 is still extremely valid.
Cris16228@lemmy.today 1 day ago
Oh wow! Didn’t expect a detailed explanation of this. Thank you kind Lemmy user!