DEV Community

loading...

Discussion on: Daily Challenge #224 - Password Validator

Collapse
franky47 profile image
François Best

Please, please, please... do not set maximum lengths on passwords. [1]

It's 2020, you should be hashing [2] your passwords (so the output is constant length no matter what the input). Password strength is based on two things: entropy (randomness) and length. Since people are usually bad at entropy, let them enter long passwords or passphrases if they want to. Also it sucks for people with password managers to have to generate custom rules. Accept any character, even spaces (you're hashing the password, so you can even accept ';-- for that matter), for passphrases.

[1] If you really want to set one to avoid 1GiB passwords, put it at 256 characters, so that password managers can go wild.
[2] Yes, I mean hashing + salting, don't roll it yourself and use bcrypt.

I know this is a training exercise, but cargo cult security is real.

Collapse
lunaticneko profile image
Chawanat Nakasan

Maybe archaic systems, and also, shorter lengths are easier to make test cases that are easy for inspection. Most programming challenges I know are usually short and sweet (unless we're dealing with huge data deliberately).

Collapse
merrickfox profile image
Merrick Fox

Nice idea but it's not always your choice.

Case in point, you're advocating using bcrypt when bcrypt itself can only support 72 characters maximum, anything larger is truncated.