[frik]

Impressive.

That's also the reason why one should limit the max-length of a password field (something reasonable), if one is using the salted-password in db approach. Otherwise someone could enter a very long password to do the trick (MD5/SHA1), see http://en.wikipedia.org/wiki/MD5#Security .

[jimktrains2]

I guess I'm not following your logic. If there is a salted, hashed password in a db, allowing arbitrary length passwords shouldn't matter? HMACs and KDFs work very differently from symetric-crypto primatives.

[michaelmior]

The point is that it makes it easier for an attacker to find a hash collision. It's much easier to construct data which hashes to a given value if it can be of arbitrary length. I don't immediately see the connection with this article however.

[asdfaoeu]

I don't follow. Breaking a password hash your not trying to find a hash collision you need to break the preimage attack. Sure are some stage in the future there might be a preimage attack that requires a large amount of data to use. But really if your worried about theoretical preimage attack you aren't using md5.

[tptacek]

The attacker doesn't need a hash collision in the case you're describing; they need a preimage.