@deshipu Oh bleh! I hadn't even considered that! But of course! Oh groas!

@deshipu @benhamill ugh dudes this is 100% inaccurate https://crypto.stackexchange.com/questions/24993/is-there-a-way-to-use-bcrypt-with-passwords-longer-than-72-bytes-securely

@kelsey @deshipu Thanks for this! I do not understand cryptography well enough, clearly.

@deshipu @kelsey Oh. And I guess this is a reasonable reason to set my password manager to default to generating 72 character passwords, yeah? Or am I failing to understand some more?

@benhamill for the threats I expect (providers getting hacked, mass leaks) I consider using unique passwords that are reasonably long (where I consider reasonable more than, like, 16chars) more important than absolute length. if you think you're subject to targeted attack by v well-resources attacker you might feel differently (but you should be getting better advice than from me if so)

@kelsey Haha. I guess: it's easy to adjust the length slider, so even if the gain is minimal, effort is also minimal. The threats you're worried about are the same ones I feel are mostly likely to get me.

@benhamill if you are using a password manager you are way ahead of the curve already! doing it right!

@benhamill but sure, 72 char couldn't hurt! I just wouldn't use the incredibly common occurrence of max password length (which can be for other reasons as well, like some kind of backward compatibility with older versions of authentication that were upgraded for security reasons) as an indicator that a site is particular untrustworthy--or take the lack of them as a sign of security

@deshipu @benhamill Well... Mastodon limits passwords to 72 letters :-(

@cesar @deshipu See https://crypto.stackexchange.com/questions/24993/is-there-a-way-to-use-bcrypt-with-passwords-longer-than-72-bytes-securely

@benhamill @deshipu that's very cool. I didn't know that.

@cesar @deshipu Yeah. TIL that as well. Nice people on Mastodom are nice.

@benhamill @deshipu To me, it means the service or software doesn't see the need for better security.

I play #GuildWars2 the enabled years back passwords of up to 100 unicode characters, on top of #2FA. Luv it.

@yahananxie @deshipu See https://crypto.stackexchange.com/questions/24993/is-there-a-way-to-use-bcrypt-with-passwords-longer-than-72-bytes-securely

@benhamill @deshipu sometimes it's just an inexperienced dev.

@evilchili @benhamill I would say it's an inexperienced dev 100% the time. Either so inexperienced, that they think it's a good idea, or so inexperienced, that they didn't say "over my dead body" to the management when it came asking for that. Lack of experience either way.

@benhamill @evilchili Ok, maybe 5% of the time it's the evil haxxors setting up a honeypot.

@deshipu @benhamill I agree that is true the vast majority of the time. However, note that for some hash algorithms there are DOS attacks that exploit problems encountered when the plaintext pwd is super duper long.

Also, HTML form fields sorta need a length! I set length to something like 200, 300.

@benhamill @deshipu Here are some interesting example:

https://stedotmartin.wordpress.com/2015/07/09/wordpress-long-password-denial-of-service-cve-2014-9034-apache-mitigation/

I certainly agree, however, that most of the time when a website says "your password is too long", that is a very bad sign. Especially since the maximum length in these cases is almost always less than, say, 20 characters!

@benhamill @deshipu Here is an interesting example:

https://stedotmartin.wordpress.com/2015/07/09/wordpress-long-password-denial-of-service-cve-2014-9034-apache-mitigation/

I certainly agree, however, that most of the time when a website says "your password is too long", that is a very bad sign. Especially since the maximum length in these cases is almost always less than, say, 20 characters!

@cognish @benhamill I usually solve that by having a limit on the overall post data size, but you are right that *some* limit is useful.