undefined | Better HN

0 pointsSomeone10y ago0 comments

Some browsers might not want to send the password in a POST request. Effect could be that you can change your password from browser X, but cannot login later from a different browser or after you upgraded that browser. If you are really unlucky, the browser you change it from chops off characters from the password.

Also, chances are users will not type their 10MB password into an input field, but try and paste it in. Again, the browser may silently discard a few MB of that string, or beep while you have your sound muted.

That's no reason to set max length at something small, but setting it to 1024 or so shouldn't limit anybody as long as it allows for more entropy in the plaintext password than will be in the hash you store.

0 comments

3 comments · 1 top-level

smellf10y ago· 2 in thread

Shouldn't the password be hashed on the frontend anyway...?

recursive10y ago

No. If you do that, then the password hash becomes the real password, and the exercise of hashing it serves no security purpose.

eru10y ago

You can, of course, play some zero-knowledge tricks on the front end.

j / k navigate · click thread line to collapse