| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by meteor333 2981 days ago
	Just the db limit, but yes increasing to 128 shouldn't be an issue. Edit: Passwords are stored with bcrypt hash. That's right password limit shouldn't matter.

2 comments

LyndsySimon 2981 days ago

Yikes.

Yeah, you should be storing the password hashes in the DB, not the passwords. The hashes are going to be the same length regardless of the password's length.

If you wanted to get real fancy, hash the password once on the client side (reducing it to a known length), then again on the server. You should also be using a per-user salt to prevent a rainbow table from being generated if your DB is leaked.

link

meteor333 2981 days ago

yup it is stored with bcrypt hash and per-user salt.

link

usmannk 2981 days ago

Does this mean that you are storing plaintext passwords in the db? The hashes should be the same length regardless of the password length.

link