jclermont,
@jclermont@phpc.social avatar

Laravel recently added a password validation rule to more easily enforce a maximum length. Why would you ever want to limit the length of a password? Here's an explanation how it actually improves security. https://masteringlaravel.io/daily/2024-02-05-why-does-laravel-offer-a-max-password-length-validation-rule

heiglandreas,
@heiglandreas@phpc.social avatar

@jclermont https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers

"Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

To increase security it should not be possible to set the maximum length of that validator to a value below 64.

Otherwise it is not improving security.

jclermont,
@jclermont@phpc.social avatar

@heiglandreas That's a fair point, and the default max being discussed is 72 (due to bcrypt internals), so it would not violate the NIST recommendation.

heiglandreas,
@heiglandreas@phpc.social avatar

@jclermont That's absolutely right!

Sadly advertising a tool to set a max password length (to avoid the password being truncated at 72 chars) will cause people to abuse it to set the max length to whatever some projectmanager thinks is enough (12 chars).

BTW: Is that truncating at 72 chars or bytes... 🙈

  • All
  • Subscribed
  • Moderated
  • Favorites
  • php
  • ngwrru68w68
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • megavids
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • provamag3
  • JUstTest
  • All magazines
    •