Changes between Initial Version and Version 1 of Ticket #50027, comment 15
- Timestamp:
- 04/29/2020 09:11:24 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #50027, comment 15
initial v1 1 1 You definitely want to avoid truncating the hash at all costs. SHA2 algorithms are secure when the entire hash is included, whereas truncated hashes are not proven to be secure and could introduce a vulnerability. 2 2 3 I also second the motion to just let passwords be truncated at 72 bytes. Arguably you are not adding any additional security at the password at this point. There are currently 143859 Unicode characters defined (and growing) out of over 1.1 million possible characters. This means that there are currently about 10^92 possible 18 character Unicode passwords (i.e. more than the total number of atoms in the known universe). I doubt the security bottleneck will be in your password at that point.3 I also second the motion to just let passwords be truncated at 72 bytes. Arguably you are not adding any additional security at the password at this point. There are currently 143859 Unicode characters defined (and growing) out of over 1.1 million possible characters. This means that there are currently about 10^92 ^ possible 18 character Unicode passwords (i.e. more than the total number of atoms in the known universe). I doubt the security bottleneck will be in your password at that point.