Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • redxef@scribe.disroot.org
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    Hashing on the client side is as secure as not hashing at all, an attacker can just send the hashes, since they control the client code.

    • wer2@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Hashing is more about obscuring the password if the database gets compromised. I guess they could send 2^256 or 2^512 passwords guesses, but at that point you probably have bigger issues.

      • redxef@scribe.disroot.org
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        3 months ago

        It’s more about when a database gets leaked. They then don’t even have to put in the effort of trying to match hashes to passwords. And that’s what hashing a password protects against, when done correctly.