WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #50027, comment 15


Ignore:
Timestamp:
04/29/2020 09:11:24 PM (7 months ago)
Author:
deadduck169
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #50027, comment 15

    initial v1  
    11You definitely want to avoid truncating the hash at all costs. SHA2 algorithms are secure when the entire hash is included, whereas truncated hashes are not proven to be secure and could introduce a vulnerability.
    22
    3 I also second the motion to just let passwords be truncated at 72 bytes. Arguably you are not adding any additional security at the password at this point. There are currently 143859 Unicode characters defined (and growing) out of over 1.1 million possible characters. This means that there are currently about 10^92 possible 18 character Unicode passwords (i.e. more than the total number of atoms in the known universe). I doubt the security bottleneck will be in your password at that point.
     3I also second the motion to just let passwords be truncated at 72 bytes. Arguably you are not adding any additional security at the password at this point. There are currently 143859 Unicode characters defined (and growing) out of over 1.1 million possible characters. This means that there are currently about 10^92 ^ possible 18 character Unicode passwords (i.e. more than the total number of atoms in the known universe). I doubt the security bottleneck will be in your password at that point.