Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If the input is 71 character, all the libraries happily accept it, but an attacker needs to guess only 1 character.


If these tools had a runtime check, then the cache key creation would have failed out.

72 is the max length of id, username, and password combined. If that combination is over 72, then failure and the cache key would not have been created. So, no, the attacker would not need to guess only one character of a password.


have separate salt / pepper / user id args


How is the library supposed to know you're doing that wrong?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: