On Thu, 2011-04-28 at 11:08 -0600, Eric Wald wrote: > I see no reason for password length restriction to be less than 127 > characters. However, allowing a full megabyte would probably be > excessive. Is there a best-practices limit? 1K, perhaps?
Best practice has generally been salted hashes, but some have started recommending an HMAC or PBKDF (password-based key derivation function). Whatever you choose, at it's heart will be a hashing algorithm. As such, I don't think there should be any input length limitation. I'm not expert enough to pick a winner, but if you're researching how to store credentials I'd recommend you start by evaluating PBKDF2, bcrypt, and scrypt. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
