Hacker News new | ask | show | jobs
by deepsun 493 days ago
If the input is 71 character, all the libraries happily accept it, but an attacker needs to guess only 1 character.
2 comments
cmgriffing 493 days ago
If these tools had a runtime check, then the cache key creation would have failed out.

72 is the max length of id, username, and password combined. If that combination is over 72, then failure and the cache key would not have been created. So, no, the attacker would not need to guess only one character of a password.

link
arccy 493 days ago
have separate salt / pepper / user id args
link
tedunangst 493 days ago
How is the library supposed to know you're doing that wrong?
link