In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

  • x00z@lemmy.worldEnglish
    2·
    4 days ago

    There’s some software that hashes the password clientside before sending it, sure. But it still should be hashed serverside too.

        • Sonotsugipaa@lemmy.dbzer0.comEnglish
          3·
          4 days ago

          Plaintext password (693 chars):
          “hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2hunter2”

          Clientside SHA-512 hash (64 bytes):
          7399ed78effda820b2187bc70f0549dd67f6846c595f944d198a1f1136cd0ab91119d6f208a34b4419e969b9ffb326d3786cecb90828f0ab36a5e3835558740c

          — Client sends 64 bytes to the server —

          Serverside SHA-512 hash (64 bytes):
          25293199e10af10e8a20f4ab38abccd2cdccd762d8cba2ed4871a2aea8fe6d9ffcc54cfe1c9cbd03245bfd2f0ee1039f06083b7bcbefd91b7fcbba182d588983

          At no point the server has to deal with the length of the plaintext