Hacker News new | past | comments | ask | show | jobs | submit login
61 days ago | hide | past | favorite

Assuming they use bcrypt

"for bcrypt (the default algorithm), the cost increases exponentially with the number of stretches (e.g. a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation)." Ruby on Rails defaults to 11 stretches, with better computers that number will increase, and it's recommended to not use below 10 in production systems.

Hackers, or rather security researchers, will try 1000 or 5000 long passwords, 10x per second, which like brings down the website, a DOS attack. Happened to me.

I'm not saying 64 character limit is a good limit, I have my settings at 128 after some testing, but any limit is advisable. A website owner just has to be realistic how long usual (not security researchers) users set their passwords and find a trade-off.


stretches or cost is number of hashing rounds, so not related to password length.

bcrypt has 72 bytes password length limit [0]. If the password is shorter, it gets extended to 72 bytes anyways, so longer passwords (10 chars vs 70 chars) are not making time difference.

The password can be pre-hashed to allow arbitrary sized passwords [1], but I don't think 10 chars vs 10000 would make a significant difference. I think most of the time will be spent on bcrypt rounds, not on pre-hashing.

> Happened to me.

While trying to find stretches quote, I found this post [2], so maybe it was not bcrypt? :)

[0] https://en.wikipedia.org/wiki/Bcrypt#Maximum_password_length

[1] https://en.wikipedia.org/wiki/Bcrypt#Solution_3_-_Pre-hash_p...

[2] https://news.ycombinator.com/item?id=26270129

Thanks for the insight! Valid idea :D

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact