Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • escapesamsara@lemmings.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    Then you’re vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.

      • frezik@midwest.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Some kind of upper bound is usually sensible. You can open a potential DoS vector by accepting anything. The 72 byte bcrypt/scrypt limit is generally sensible, but going for 255 would be fine. There’s very little security to be gained at those lengths.