[aur-dev] [PATCH] Remove maxlength on password fields

Stein Magnus Jodal stein.magnus at jodal.no
Fri Nov 25 07:30:05 EST 2011

On Fri, Nov 25, 2011 at 12:16, Lukas Fleischer <archlinux at cryptocrack.de> wrote:
> Out of curiosity - why would you need a password with more than 32
> characters? If you use a password manager and create random passwords
> anyway, there's no need to create such long passwords. Assuming that
> your password contains lower-case and upper-case letters, as well as
> numbers, you won't gain any extra security when using passwords longer
> than ~22 characters (it'll be easier to brute-force a MD5 collision than
> finding the correct password in this case). Even if we used SHA-1,
> passwords with a length of 27 characters would already give you the
> maximum amount of security possible.

I use the pwsafe password manager, which defaults to passwords with
160 bits of entropy, which usually means 32 chars with special chars
or 39 chars with just numbers and letters in lower and upper case. I
agree that there's no need for having passwords of this length, but
passwords managers with longer default lengths than 32 chars do exist,
and it's really no reason for stopping people from using long
passwords. Having maxlength on a password field only suggests that the
password is stored in plain text.

> You should try to configure your MUA not to break long lines when
> sending patches... The best alternative is to use `git send-email` :)

Sorry, I'm usually using GitHub for all git cooperation, and Gmail is
really suboptimal for sending patches :-)

Stein Magnus Jodal

More information about the aur-dev mailing list