|
|
|
|
|
|
by just2n
4448 days ago
|
|
|
I wouldn't want to limit the password a user supplies. Any password should work, including 1 byte or 1 gb passwords. Restrictions of any form have always just caused more problems than they've solved. But the solution I've favored is hashing the user's password on the client with a hash that provides enough significant bits that your key derivation on the server is not weakened. This way you get the benefit of not needing to deal with differences in transmission size and the user's plaintext password is never exposed to any listener (regardless of whether the connection is secure, or believed to be secure). |
|
|