Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ah, that's one of those websites that accept a password of any length without error, truncate it, and show you a "wrong password" the next time you try to log in. Then you go through password reset roulette until you find a short enough password that works. Don't do this.


Wait wait. Why would you truncate it after input unless... you're storing it in plaintext?


Maybe the KDF gets really slow with a super long input.


You truncate passwords to prevent DOS


Why not either show an error or do a client-side hash so there's a fixed length?


Showing an error is probably the right thing. Client-side mitigations wouldn't prevent a DOS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: