Just take the string as bytes and hash it ffs

  • expr
    link
    fedilink
    English
    arrow-up
    58
    ·
    4 months ago

    At minimum you need to limit the request size to avoid DOS attacks and such. But obviously that would be a much larger limit than anyone would use for a password.

    • owsei
      link
      fedilink
      English
      arrow-up
      27
      ·
      4 months ago

      Also rate of the requests. A normal user isn’t sending a 1 MiB password every second

    • JackbyDev
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      What’s a sensible limit. 128 bytes? Maybe 64?

      • owsei
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        I’d say 128 is understandable, but something like 256 or higher should be the limit. 64, however, is already bellow my default in bitwarden