Comment on [deleted]
PlexSheep@infosec.pub 3 weeks agoThere should be a maximum, but only to cover ridiculous cases, like users pushing a 5 Kilobyte password onto the server. Hashing is expensive.
While we’re at hashing: salting is important of course, but one should also not use any hash function, but one specifically made for passwords, such as argon2. If you just use plain old sha-2, that can still be computed with quite some performance on modern hardware, hence the need for hashing functions that take up performance in a controlled way.