gmalivuk wrote:Your 100-character passphrase is orders of magnitude more likely to be unique than some amateurish mangling of a common word.
... but the resulting hash isn't, and it's the resulting hash that counts.
gmalivuk wrote:Collisions or not, how can a short (less than, say, 30 characters) limit ever *help* security?
A limit that is too short never helps security. More annoying are sites that prohibit commonly used punctuation, so I can't even use "can't" in the (long) password. It becomes harder to remember whether I used "cant" or "cannot" in the passphrase, and it's too late by the time I remember that this isn't
one of those sites, and I used "can't". I've already been locked out and am now a support burden as I get the password reset again, whereupon I discover that the quote is permitted, but the period is not. grrrrrr!
As the person creating a password, I need to consider that the attacker knows how I came up with it (i.e. choose four words in French and run them together). However, as a website designer, I need to consider all possible attack methods on the database. If I encourage my users to do one thing (come up with a long French sentence), I would expect that an attacker would expect that my database is best attacked along those lines (i.e. with a French dictionary).
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar
of the Order of the Holy Contradiction * Please help addams
if you can. She needs all of us.