Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Technically, if they are using bcrypt hashes with a high enough work factor, and salt then with something like UserID, then 12 characters is pretty damn secure even if their whole DB gets leaked.

Of course, there's no good reason to limit passwords to any length.



Again, the point isn't about whether 12 is enough. It could have been 64 and the point would still stand. The OP's point is that limiting password length (to anything less than 1000 or so) is usually done to be able to set a maximum length on the password column of a database. Password hashes, on the other hand (including bcrypt), produce fixed-length hashes, regardless of the input size.


bcrypt has a 50 char limit. You could always prehash(sha256) the password before passing it to bcrypt.


It's 72 actually. I thought it was 56 as mentioned on the original [?] BCrypt website[1]. A thread[2] on security/stackexchange discusses a workaround for the 72 char limit. See https://gist.github.com/4690368 for a simple test case that shows the >72 char truncation.

The source provides a hint:

    /* Schneier specifies a maximum key length of 56 bytes.
    * This ensures that every key bit affects every cipher
    * bit.  However, the subkeys can hold up to 72 bytes.
    * Warning: For normal blowfish encryption only 56 bytes
    * of the key affect all cipherbits.
    */
[1] http://bcrypt.sourceforge.net/

[2] http://security.stackexchange.com/questions/21524/bcrypts-72...


That is not something I would have guessed about bcrypt. I learned something new today.


You are missing the same point they are. A hash doesn't care about the input length and produces a fixed size output. Consequently if Stardock are claiming there is a need for a limited input length then it is a very good "smell" they are not using hashing at all. The lack of hashing is the problem and debating acceptable length limits is avoiding the topic.


I've long used this smell to identify companies not to trust with security. It's rare that I would be willing to create an account somewhere just to buy something, but a policy like this is always a deal-breaker for me, because I would expect them to get hacked.


Another smell is bizarre rules. Rank amateurs are quickly spotted by requirements not to use various characters related to SQL injection and XSS. The other week I encountered a site that whined about consecutive letters, case and numbers. (My password was randomly generated by a password manager.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: