• frezik@midwest.social
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    9 months ago

    Password strength checkers are taking an approach that’s naive for this case. The actual strength depends on the size of the dictionary and the number of words you randomly choose out of it.

    Bcrypt has a length limit of 72 characters, so very long passwords generated this way can be silently truncated. Developers can avoid this problem by running sha256 on the input before giving it to bcrypt, but that isn’t common.