Friday, April 29, 2022

Making a hash of it by not making a hash of it

from here and here

All the comments I've seen about this so far have assumed this was about end users, which is fair because most people are end users so of course they would see if from that perspective. In reality, though, this is about system designers/architects. You know, the people who make sites and are supposed to hash your password rather than storing the plain text (or reversibly encrypted) version of it? Yeah, if that site says your password is too long it means they aren't hashing the passwords and so are doing it wrong.