Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're hashing it who cares if someone wants to submit a 250MB password? They'll only be slowing their own session down - what I store in the database is always 256 bits either way.


Because your app has to load it all into memory. Submitting many, very large payloads is a well known denial-of-service attack


Like a good developer, you run passwords through a slow hash function. This leaves you vulnerable to denial of service by wasting CPU hashing huge passwords: http://arstechnica.com/security/2013/09/long-passwords-are-g...


Predictably this just regresses to what constitutes a big number. Take your pick for one that would cause noteworthy resource consumption in a given system.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: