[aur-dev] [PATCH] Remove maxlength on password fields

Lukas Fleischer archlinux at cryptocrack.de
Fri Nov 25 09:34:40 EST 2011 

On Fri, Nov 25, 2011 at 01:30:05PM +0100, Stein Magnus Jodal wrote:
> On Fri, Nov 25, 2011 at 12:16, Lukas Fleischer <archlinux at cryptocrack.de> wrote:
> > Out of curiosity - why would you need a password with more than 32
> > characters? If you use a password manager and create random passwords
> > anyway, there's no need to create such long passwords. Assuming that
> > your password contains lower-case and upper-case letters, as well as
> > numbers, you won't gain any extra security when using passwords longer
> > than ~22 characters (it'll be easier to brute-force a MD5 collision than
> > finding the correct password in this case). Even if we used SHA-1,
> > passwords with a length of 27 characters would already give you the
> > maximum amount of security possible.
> 
> I use the pwsafe password manager, which defaults to passwords with
> 160 bits of entropy, which usually means 32 chars with special chars
> or 39 chars with just numbers and letters in lower and upper case. I
> agree that there's no need for having passwords of this length, but
> passwords managers with longer default lengths than 32 chars do exist,
> and it's really no reason for stopping people from using long
> passwords. Having maxlength on a password field only suggests that the
> password is stored in plain text.

Identifying 160 bits of entropy with 32 chars is weird... Even if we
only use alphabetic characters and digits,

    ceil(log(2 ^ 160) / log(2 * 26 + 10)) = 27

characters should be sufficient...

> 
> > You should try to configure your MUA not to break long lines when
> > sending patches... The best alternative is to use `git send-email` :)
> 
> Sorry, I'm usually using GitHub for all git cooperation, and Gmail is
> really suboptimal for sending patches :-)

You can add a link to your GitHub repository next time you send a patch
so that I can pull and don't have to go through the pain of fixing the
patch before feeding it to git-am(1).

> 
> -- 
> Stein Magnus Jodal

More information about the aur-dev mailing list