Specifying an arbitary maximum length to a users password
You can even design a system where the user has an indefinite length of input. Once this has been hashed you merely need to trim that input down to the required size for your storage system. This does mean some loss, but playing the percentage game, means it's even harder to recover the original string from the hash.
Once you've committed to a 1024\2048 length hash, any users password that is too short to fill that could have predefined garbage added to the end of the input to take the hash up to that length, and make it harder to discern the length of the original input.
Security is important, and having ridiculously lax requirements that prevent a user from being as secure as they wish with their data should be of cause for concern for any business, especially when they are multi-million £ organisations.
There are no comments.
Posting Comments is disabled.