Hacker News new | past | comments | ask | show | jobs | submit login

As long as you throttle login attempts short passwords are fine. EX: 6 digit pin on a debit card might seem useless, but if you only get 3 tries per day that's just not an issue.

~10-20 failed attempts per day per IP + some rules to check for multiple IP's per account and 8 lowercase letters - most common passwords is actually reasonable.




> As long as you throttle login attempts short passwords are fine.

Not if the password-hash database leaks.


If someone has hacked into your bank, you have bigger problems than the hackers knowing your password.


I can buy that argument in general. But silently truncating is indefensible. What if I had a long password which started with my name or something, but which I believed to be secure because it had secret stuff at the end?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: