Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password has a max length = not hashing passwords? #415

Closed
smtchahal opened this issue Apr 30, 2022 · 9 comments
Closed

Password has a max length = not hashing passwords? #415

smtchahal opened this issue Apr 30, 2022 · 9 comments

Comments

@smtchahal
Copy link
Contributor

The entry for NordVPN states

Claims to protect your security. Can't even hash a password.

supposedly because they don't allow passwords longer than 48 characters.

Is the implication here that having a, say, low max length necessarily means that the server is not hashing the password?

If the hash is computationally expensive (e.g. with argon2), then as the password length grows, so does the computation time. There has to be some sane limit to it, just to prevent a DoS because of a malicious user with an absurdly long password.

Thoughts?

@duffn
Copy link
Owner

duffn commented Apr 30, 2022

I'm not sure about that particular entry in regard to "Can't even hash a password".

The length, however, is just arbitrary. There was a discussion somewhere on adding Google because their max was 99 characters, but that seems like enough to me, so it wasn't added. 48 seems a bit low to me, so it's on the list. It's just made up.

@smtchahal
Copy link
Contributor Author

So 48 is made up, but 99 is... based on research?

I think we need a concrete number as to what's considered an acceptable upper limit (which definitely needs to be there). But assuming passwords are stored unhashed just because there's a certain upper limit is just silly.

@duffn
Copy link
Owner

duffn commented Apr 30, 2022

I didn’t state any sort of research. They’re both made up. 99 seems long enough to me, 48 doesn’t. That’s it.

@smtchahal
Copy link
Contributor Author

That's fair. I still think we need a number though. I mean 48 seems long enough to me, but that's just always going to be subjective unless we agree upon a number.

I also think we should re-word the NordVPN entry. Hashing should not be put into question without a valid reason.

@duffn
Copy link
Owner

duffn commented Apr 30, 2022

Please feel free to open a PR to update the Nord entry! I agree, it sounds odd.

@smtchahal
Copy link
Contributor Author

Done! See #416.

Let's do something about the max length as well now. OWASP doesn't directly say it, but it does mention 64 characters as a "common maximum length due to limitations in certain hashing algorithms".

Let's go with that then? That 64 characters should be the lowest reasonable max length? We could add it to #219 maybe?

@duffn
Copy link
Owner

duffn commented Apr 30, 2022

Sure, 64 seems reasonable to me. Though if somebody allows a 70 character password but it’s all lowercase or something absurd like that, then that’s dumb.

@smtchahal
Copy link
Contributor Author

Agreed! Other dumb password rules still apply. I only opened this issue to discuss password length.

@duffn
Copy link
Owner

duffn commented Feb 15, 2023

I added a section here on the new about page on what makes a dumb password rule. https://dumbpasswordrules.com/about/

No specific length really, so our previous discussion still applies. I'll continue to happily review any and all PRs for new entries or updates!

@duffn duffn closed this as completed Feb 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants