(08-24-2020, 12:13 PM)robkelk Wrote: Noticed something that made me wonder: Who used a novel-length password, to made it necessary to put a maximum size on them? And why is the maximum set to 4096 characters?
Rhetorical question; no need to answer. It Just Bugs Me, is all.
This is a Denial of Service attack vector. Logged-out users send large payloads, and the server spends a lot of time computing hash functions.
OWASP Authentication Cheat Sheet - Password Length
I didn't even have to look it up, it just seemed obvious to me. Which is why I work in application security I guess.
"Kitto daijoubu da yo." - Sakura Kinomoto