Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why have a limit at all? You should be comparing against a hash anyhow, which is fixed length.

I generally use 128-char passwords by default, and only use shorter ones when a service requires it.



Just the db limit, but yes increasing to 128 shouldn't be an issue.

Edit: Passwords are stored with bcrypt hash. That's right password limit shouldn't matter.


Yikes.

Yeah, you should be storing the password hashes in the DB, not the passwords. The hashes are going to be the same length regardless of the password's length.

If you wanted to get real fancy, hash the password once on the client side (reducing it to a known length), then again on the server. You should also be using a per-user salt to prevent a rainbow table from being generated if your DB is leaked.


yup it is stored with bcrypt hash and per-user salt.


Does this mean that you are storing plaintext passwords in the db? The hashes should be the same length regardless of the password length.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: