Comment on [deleted]

<- View Parent
PlexSheep@infosec.pub ⁨3⁩ ⁨weeks⁩ ago

There should be a maximum, but only to cover ridiculous cases, like users pushing a 5 Kilobyte password onto the server. Hashing is expensive.

While we’re at hashing: salting is important of course, but one should also not use any hash function, but one specifically made for passwords, such as argon2. If you just use plain old sha-2, that can still be computed with quite some performance on modern hardware, hence the need for hashing functions that take up performance in a controlled way.

source
Sort:hotnewtop