The Password Game will make you want to break your keyboard in the best way

14383 shaares
5331 private links

14383 shaares · 5331 private links

Filters

Links per page

20 50 100

The Password Game will make you want to break your keyboard in the best way | Ars OpenForum

DCRoss
Ars Scholae Palatinae
11y
960
Yesterday at 11:36 AM
#24

MTSkibum said:
Somewhere a web developer chose an arbitrary nvarchar length for the password and is storing it unencrypted in a sql database.

That is how you ended up with the maximum password length.

There's more to the story, but the relevant part is that way back in 1976 UNIX systems hashed passwords with a DES based algorithm which was limited to two characters of salt and eight characters of password. It wasn't until 1994 that Paul Henning-Kemp replaced this with a more advanced hash based on MD5 for FreeBSD, and this was adopted by just about everybody. However, not only did applications keep using the old crypt(3) implementation long after that, they also stuck with the idea that having an eight character limit on your password was reasonable, and even that if you used a more secure algorithm that sixteen was fair.

With this in mind, setting fixed length fields for passwords or password hashes was considered acceptable for far longer than it should have been.

https://www.usenix.org/legacy/publications/library/proceedings/usenix99/full_papers/provos/provos_html/node9.html

http://phk.freebsd.dk/pubs/ieee.software.pdf