new | show | ask | jobs Github

wao0uuno 4 hours ago

How is exposing length of a password a vulnerability? My HN password is 16 characters long. Go and crack it.

▲

gnabgib 4 hours ago | parent [-]

Set it to 1-5 characters long, and let us know which you chose.

▲

Dylan16807 3 hours ago | parent | next [-]

Why?

If I pick a random 1-5 character password out of the pool of possibilities, it's very very likely to be 5 characters, and letting you know it's not 1-4 characters does pretty much nothing to help you crack it.

If I'm acting reasonably, I don't randomize the length, I pick a length long enough for the amount of security I want, and in that situation telling you the exact length reduces that security by much less than one bit.

▲

sethops1 4 hours ago | parent | prev [-]

You're missing the point. If knowing the length of a password is helpful in cracking it, then it's already too short to be effective.

	▲	gnabgib 3 hours ago \| parent [-]
		The question was: > How is exposing length of a password a vulnerability? You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed.