Hacker News new | ask | show | jobs
by vwkd 542 days ago
Ah, that's one of those websites that accept a password of any length without error, truncate it, and show you a "wrong password" the next time you try to log in. Then you go through password reset roulette until you find a short enough password that works. Don't do this.
1 comments
davedx 542 days ago
Wait wait. Why would you truncate it after input unless... you're storing it in plaintext?
link
orblivion 542 days ago
Maybe the KDF gets really slow with a super long input.
link
zja 542 days ago
You truncate passwords to prevent DOS
link
lesuorac 542 days ago
Why not either show an error or do a client-side hash so there's a fixed length?
link
orblivion 542 days ago
Showing an error is probably the right thing. Client-side mitigations wouldn't prevent a DOS.
link