Hello!
I reading Programming Phoenix >= 1.4
to get a full picture of the framework.
Chapter 5 deals with authentication. In it, we implement validation as such:
# The password rules are intentionally weak, as this implementation's focus is being a learning material
def registration_changeset(user, params) do
user
|> changeset(params)
|> cast(params, [:password])
|> validate_required([:password])
|> validate_length(:password, min: 6, max: 100)
|> put_pass_hash()
end
I’m puzzled by the max length requirement. Why cap the password length at 100? I’m reading another book (other technology) and I saw the same capping being done by the author.
I understand, of course, that having a longer password is probably impractical but still, if a user wants to store a password of length 101, 150 or even 200 (generated with a password manager), I’d like to know why I should prevent that?
By capping the length and returning an error about it, we could wrongly hint at the fact that we may be storing the password in clear text (max column length would be 100). Considering the input length has no effect on the output length of a hashing function.
Traditionally, it’s my understanding that a hashing function’s input length did not matter (that much) computing wise:
$ time ruby -e "print 'a'*200" | sha256sum
c2a908d98f5df987ade41b5fce213067efbcc21ef2240212a41e54b5e7c28ae5 -
real 0m0.161s
user 0m0.107s
sys 0m0.060s
$ time ruby -e "print 'a'*200000" | sha256sum
2287d207f24a941ff3b56c04c8a25ad56b63e3023207b3bb5b4ac0c9869d74be -
real 0m0.133s
user 0m0.082s
sys 0m0.040s
It looks like more recent algorithms may care about it. I can’t deduce much from this limited experiment though:
$ ruby -e "print 'a'*100" | argon2 salt123456
Type: Argon2i
Iterations: 3
Memory: 4096 KiB
Parallelism: 1
Hash: 400680f3e4793f230c859946e19c9c49b0311bf3cbfd1b564c5cfaecd86d0992
Encoded: $argon2i$v=19$m=4096,t=3,p=1$c2FsdDEyMzQ1Ng$QAaA8+R5PyMMhZlG4ZycSbAxG/PL/RtWTFz67NhtCZI
0.019 seconds
Verification ok
Type: Argon2i
Iterations: 3
Memory: 4096 KiB
Parallelism: 1
Hash: 639df3698b92be93a2dc0b6dc6709eba334d0c074451bb8f22b0a30cfcb4531e
Encoded: $argon2i$v=19$m=4096,t=3,p=1$c2FsdDEyMzQ1Ng$Y53zaYuSvpOi3AttxnCeujNNDAdEUbuPIrCjDPy0Ux4
0.019 seconds
Verification ok
$ ruby -e "print 'a'*200" | argon2 salt123456
Error: Provided password longer than supported in command line utility
I used the argon2
command line utility, but we use the pbkdf2
algorithm in the book. It’s unclear why the author capped the input length here, there’s an open github issue about it.
I saw some conflicting and contradicting view points online, so I thought I’d ask here.
Maybe someone knowledgeable can enlighten me