| ▲ | sethops1 4 hours ago | |
You're missing the point. If knowing the length of a password is helpful in cracking it, then it's already too short to be effective. | ||
| ▲ | gnabgib 3 hours ago | parent [-] | |
The question was: > How is exposing length of a password a vulnerability? You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed. | ||