|
|
|
|
|
|
by r00fus
4806 days ago
|
|
|
Most people using 50+ character passwords or phrases often use password management software like 1Password, Keepass, or browser-based, etc. I do think an upper limit is valid, as allowing an arbitrary long string could be a form of DOS (imagine someone sending the library of congress as a password), but 64 characters seems kind of weak. |
|
|
AFAIK all these programs allow generation of <=64 character password
> but 64 characters seems kind of weak.
A 64 character alpha-numeric password has 36^64 combinations. That's 2^330. You're trillions of times more likely to find a hash collision than brute force the password (assuming 256bit hashes).
Security-wise there is absolutely 0 difference between allowing >64 character passwords and not. From a user experience perspective I'm sure arguments could be made either way