Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/bob_zim/statuses/113195981604736229">Zimmie (bob_zim@infosec.exchange)'s status on Wednesday, 25-Sep-2024 20:27:51 JST</a><a href="https://infosec.exchange/@bob_zim" title="bob_zim@infosec.exchange"><img src="https://gnusocial.jp/avatar/190801-48-20240224155142.webp" width="48" height="48" alt="Zimmie" style="position: absolute; left: 0; top: 0;">Zimmie</a><div><a href="https://mastodon.gamedev.place/@delegatevoid/113195750972146546" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/255715" title="delegatevoid@mastodon.gamedev.place">DelegateVoid</a></li></ul></div></section><article><p><a href="https://mastodon.gamedev.place/@delegatevoid">@delegatevoid</a> <a href="https://mastodon.social/@LukaszOlejnik">@LukaszOlejnik</a> Upper limits on passphrase length are mostly about closing a possible resource exhaustion vector on the authenticating system. If you hash it all down to 64 bytes, there’s no point dealing with passphrases longer than 128 characters. Further characters don’t add any further entropy, but if you have no upper bound, some knucklehead is going to make your server hash the entirety of War and Peace over and over.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3720655#notice-7293633">In conversation</a><time datetime="2024-09-25T20:27:51+09:00" title="Wednesday, 25-Sep-2024 20:27:51 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@bob_zim/113195981604736229" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@bob_zim/113195981604736229">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Wednesday, 25-Sep-2024 20:27:51 JSTZimmie
in reply to
- Lukasz Olejnik
- DelegateVoid
@delegatevoid @LukaszOlejnik Upper limits on passphrase length are mostly about closing a possible resource exhaustion vector on the authenticating system. If you hash it all down to 64 bytes, there’s no point dealing with passphrases longer than 128 characters. Further characters don’t add any further entropy, but if you have no upper bound, some knucklehead is going to make your server hash the entirety of War and Peace over and over.
In conversationabout 2 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice