-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
password length limit #237
Comments
Your changelog says:
If you are trying to avoid revealing valid usernames, you would know they use a single character (or the minimum) password length. You should allocate a random amount between length and 5000 to require at least 5000 providing more time for temperature to change. That makes it more difficult to guess the logins. |
The problem is we don't know which salt to use for an invalid user. See the comment |
@mkj meaning that the salt would be known by all who have this repository? Why don't you make it at first execution? |
I'll explain the details. For
For Dropbear to run crypt() to check the password hash of a user (or pretend to do it for an unknown user, with a realistic time delay) it needs to pass in that So we could just read the salt of the first user in |
It seems like you are trying to diff audio conversations of the town I live in instead of work on better products, no wonder there's no jobs. |
It's not complicated.
When the request is made, time is spent to gather the existing key hash and process it. That time is measured, and based on the salt value of the OS or the salt value that is randomly set or set by this program you can guess if an account is real or not. It's very simple, the salt value that is used when there is no account should be random. Random values are created by subatomic particles that are sent through encased sensors. Dust in space modifies the rate of the particles. |
I'm giving you advice because I understand something and I think improvement is a requirement. I'm asking you change the allocation maximum from 100 to 5000. It is a simple number modification. There's no reason to add to the list of contributors. I'm giving you advice on how to use the hashing routines to reduce account name guess validity because you are working on that, most recently within this project. |
Why make the limit very small, 100 characters?
I realize it needs to be allocated and that the password is stored as a salted hash that is much shorter than the possible length proving that you aren't able to allocate the exact length.
Why don't you read the input into memory to 5000 bytes instead of 100 bytes?
The text was updated successfully, but these errors were encountered: