Quote:
Originally Posted by dynastoned
could they have written something up for when people login it counts the characters of the password before it's encrypted/decrypted or however the login process works and once login page has finished it carries the true or false of $pw > 16 character information to your account. then if it's true that you have a password that is greater than 16 chars it sends the OP's email to your email addy they have for u in the db? or would that somehow compromise your password?
im not sure how a login page works exactly so i don't know but it seems possible.
|
Yes, this is possible, because even if the system uses hashes internally, you submit the password to the login page in cleartext. So it would certainly be possible for a program to do a once-off check and notify if it sees the password is too long.
Question is WHY is there the limit in the first place for crak? Password prompts can be made fixed size on a page - they'll just scroll sideways - and there's no real performance difference between sending 5 characters or 500 characters. So why are passwords limited to this length? Even if crak are encrypting them (special decryption algorithm + salt) that means they can be decrypted. Why would a program ever need to access your cleartext password?