| ▲ | hnlmorg 13 hours ago | |
> and have caused 0 issues in practice Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security. Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”. So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces. Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change. But for the average Desktop Ubuntu user, that convenience aspect is more pronounced. This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites. | ||
| ▲ | SAI_Peregrinus 6 hours ago | parent [-] | |
Knowing password length makes it easier to crack an insecure password. The SHA256 hash of a 6-symbol diceware password, where each symbol has its first letter capitalized and the rest lowercase, with 1! appended for compliance with misguided composition rules is 540b5417b5ecb522715fd4bb30f412912038900bd4ba949ea6130c8cb3c16012. There are 37 octets in the password. You know the length. You know the composition rules. You have an unsalted hash. It's only 77 or so bits of entropy. Get cracking, I'll wait. | ||