Reply to post: Re: why have ANY upper limit?

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data

Michael Wojcik Silver badge

Re: why have ANY upper limit?

This argument is rather baffling. Any password-verifier mechanism using a decent digest (aka "hash") will be storing enough entropy to represent around 50 alphanumeric characters.

The "position in the hashed space" is irrelevant. Password verifiers created with a competent algorithm aren't broken by analysis; they're broken by brute force, using precomputed values (when no salt was used, or when the salt and preimage length are short enough to make rainbow tables feasible) and/or parallel trials with a (mutating) dictionary of short and common passwords.

So longer passphrases are very much useful, assuming a competent password-verifier mechanism.

And we don't know what Foxit are doing. They may have a competent verifier mechanism with an incompetent front end (thus the 20-character limit). They may have a competent verifier mechanism and front end with an incompetent policy for no good reason. They may have an incompetent mechanism, such as an unsalted hash or worse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021