this post was submitted on 14 Jul 2023
1178 points (92.1% liked)
Technology
60082 readers
2723 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That’s just not true, all of these things can be achieved without saving the password as plain text
How is it not true? If a site is saying for example, "password must be less than 20 characters" -- that is purely a limitation based on the size of the database field, which you can only assume it's being adding to that field as plain text. A hash will always be the same length and password length would not matter.
I'll keep my aswer short, but first of all, usually this format enforcement is done on the client before it is ever sent to the backend, there are many reasons to limit the maximum length other than string length limitations on the database ( not that I can think of many actual good reasons).
Second of all, the client should send the actual password to the backend (allowing you validate these same password requirements on your backend), not the hashed password, hashing the password on the client side would be no better than storing the password as "plain text".
And never is the "plain text" password stored in any database, only sent over to the backend and hashed, every time you set a new password, or log in using an existing one.