Just take the string as bytes and hash it ffs

  • @[email protected]
    link
    fedilink
    English
    34 months ago

    The resulting hash will always be the same size, but you don’t want to have an unlimited upper bound otherwise I’m using a 25GB blueray rip as my password and your service is going to have to calculate the hash of that whenever I login.

    Sensible upper bounds are a must to provide a reliable service not open to DDOS exploits.

    • Saik0
      link
      fedilink
      English
      1
      edit-2
      4 months ago

      Sensible upper bounds are a must to provide a reliable service not open to DDOS exploits.

      If I choose to make you hash it in browser first… Then I simply don’t care do I? I can hash/salt again when I get your hash. Edit: There are other answers to the “DDOS problem” that don’t require upper bounds.

      • @[email protected]
        link
        fedilink
        English
        0
        edit-2
        4 months ago

        You can make a client hash it, but if you don’t reject large inputs to your API a client can send enough data to DOS you anyway.

        • Saik0
          link
          fedilink
          English
          14 months ago

          And a meteor can hit my server the exact time you send your hash which will DOS you/others as well. What’s your point.

          The thread is talking about what it takes to store passwords. There is not DOS potential in a well designed system. Just because you want to arbitrarily conjure up bullshit doesn’t make that any less true.

          Rejecting large inputs != disallowing users to have large passwords. Why are you attempting to straw-man me here?

          • @[email protected]
            link
            fedilink
            English
            14 months ago

            You were saying the input size doesn’t matter because you only store the hash which is always the same size. What I’m saying is that the input size really does matter.

            You absolutely should set upper limits on all input fields because it will be abused if you don’t. Systems should validate their inputs, passwords included

            • Saik0
              link
              fedilink
              English
              14 months ago

              And I showed you a way that we can make it so it doesn’t matter.

              Force local hash -> Hash/salt what you get. Password can be a million characters long. You’ll only ever get like 128 characters.

              Nothing I talked about said to not validate inputs. Just that we don’t have to limit a persons password selection.