Completely agree on all accounts. For every application and website I've written, authored, and maintained since I was a teenager (I'm 33 now) I've always
Generated the primary ID (either auto-incremented number, random fixed number, short hash, or UUID)
Authenticated off of an email (which can always be changed)
Allowed the registrant to provide an always changeable "Display Name" (Sometimes I generate the first username automatically to keep everything the least annoying as possible)
Gone passwordless wherever possible. (If a password is required, I've always since day 1 used the best one way hashing I could get my hands on that allows the user to supply whatever password they want)
The only time I've ever had to ask for a legal name or other identifiable information, was when I wrote an online ordering system and it was required for shipping and billing information. And I've always made sure that data stayed forever changeable.
I fully believe in storing as little information about a user as possible in my databases, sticking strictly to what is needed to make the app do it's thing, and nothing more. I don't even want your passwords if I can help it.
It straight up baffles me when I see anything else. Like MAXIMUM password length for example. Give me a break. But then.. yeah.. my wife has gone through a name change too, she got married to me and took my last name, and getting her online identities matched up to that has been a weird hell and a half.
I can't see why anybody might want a maximum password length, unless they DON'T store the hashed password, that doesn't bode well (even if was encrypted it would be terrible).
Bcrypt is limited to 72 characters. It's the only reasonable limitation, as you would not want password managers to assume the users password was longer than required to authenticate. (especially if you migrated upwards in hash. )
Totally true, anything longer and BCrypt will truncate. I like Argon2's input limit of 4.29b characters much better hehe
That said, 72 characters isn't the worst length limit, but when you're asked by your bank for a max limit of 14 or something similarly pathetic like that
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Completely agree on all accounts. For every application and website I've written, authored, and maintained since I was a teenager (I'm 33 now) I've always
The only time I've ever had to ask for a legal name or other identifiable information, was when I wrote an online ordering system and it was required for shipping and billing information. And I've always made sure that data stayed forever changeable.
I fully believe in storing as little information about a user as possible in my databases, sticking strictly to what is needed to make the app do it's thing, and nothing more. I don't even want your passwords if I can help it.
It straight up baffles me when I see anything else. Like MAXIMUM password length for example. Give me a break. But then.. yeah.. my wife has gone through a name change too, she got married to me and took my last name, and getting her online identities matched up to that has been a weird hell and a half.
I can't see why anybody might want a maximum password length, unless they DON'T store the hashed password, that doesn't bode well (even if was encrypted it would be terrible).
Bcrypt is limited to 72 characters. It's the only reasonable limitation, as you would not want password managers to assume the users password was longer than required to authenticate. (especially if you migrated upwards in hash. )
Totally true, anything longer and BCrypt will truncate. I like Argon2's input limit of 4.29b characters much better hehe
That said, 72 characters isn't the worst length limit, but when you're asked by your bank for a max limit of 14 or something similarly pathetic like that