Programming Phoenix >= 1.4 to get a full picture of the framework.
Chapter 5 deals with authentication. In it, we implement validation as such:
# The password rules are intentionally weak, as this implementation's focus is being a learning material def registration_changeset(user, params) do user |> changeset(params) |> cast(params, [:password]) |> validate_required([:password]) |> validate_length(:password, min: 6, max: 100) |> put_pass_hash() end
I’m puzzled by the max length requirement. Why cap the password length at 100? I’m reading another book (other technology) and I saw the same capping being done by the author.
I understand, of course, that having a longer password is probably impractical but still, if a user wants to store a password of length 101, 150 or even 200 (generated with a password manager), I’d like to know why I should prevent that?
By capping the length and returning an error about it, we could wrongly hint at the fact that we may be storing the password in clear text (max column length would be 100). Considering the input length has no effect on the output length of a hashing function.
Traditionally, it’s my understanding that a hashing function’s input length did not matter (that much) computing wise:
$ time ruby -e "print 'a'*200" | sha256sum c2a908d98f5df987ade41b5fce213067efbcc21ef2240212a41e54b5e7c28ae5 - real 0m0.161s user 0m0.107s sys 0m0.060s $ time ruby -e "print 'a'*200000" | sha256sum 2287d207f24a941ff3b56c04c8a25ad56b63e3023207b3bb5b4ac0c9869d74be - real 0m0.133s user 0m0.082s sys 0m0.040s
It looks like more recent algorithms may care about it. I can’t deduce much from this limited experiment though:
$ ruby -e "print 'a'*100" | argon2 salt123456 Type: Argon2i Iterations: 3 Memory: 4096 KiB Parallelism: 1 Hash: 400680f3e4793f230c859946e19c9c49b0311bf3cbfd1b564c5cfaecd86d0992 Encoded: $argon2i$v=19$m=4096,t=3,p=1$c2FsdDEyMzQ1Ng$QAaA8+R5PyMMhZlG4ZycSbAxG/PL/RtWTFz67NhtCZI 0.019 seconds Verification ok Type: Argon2i Iterations: 3 Memory: 4096 KiB Parallelism: 1 Hash: 639df3698b92be93a2dc0b6dc6709eba334d0c074451bb8f22b0a30cfcb4531e Encoded: $argon2i$v=19$m=4096,t=3,p=1$c2FsdDEyMzQ1Ng$Y53zaYuSvpOi3AttxnCeujNNDAdEUbuPIrCjDPy0Ux4 0.019 seconds Verification ok $ ruby -e "print 'a'*200" | argon2 salt123456 Error: Provided password longer than supported in command line utility
I used the
argon2 command line utility, but we use the
pbkdf2 algorithm in the book. It’s unclear why the author capped the input length here, there’s an open github issue about it.
I saw some conflicting and contradicting view points online, so I thought I’d ask here.
Maybe someone knowledgeable can enlighten me