View Single Post
Old 02-29-2016, 05:43 PM  
dynastoned
mmm yeah!
 
Industry Role:
Join Date: Feb 2005
Location: roseville, ca
Posts: 5,061
Quote:
Originally Posted by rowan View Post
Yes, this is possible, because even if the system uses hashes internally, you submit the password to the login page in cleartext. So it would certainly be possible for a program to do a once-off check and notify if it sees the password is too long.

Question is WHY is there the limit in the first place for crak? Password prompts can be made fixed size on a page - they'll just scroll sideways - and there's no real performance difference between sending 5 characters or 500 characters. So why are passwords limited to this length? Even if crak are encrypting them (special decryption algorithm + salt) that means they can be decrypted. Why would a program ever need to access your cleartext password?
lol good thing u caught my post i tried to add to the post n somehow edited it out. doing too many things at once.

but yeah things that make you go hmm...
dynastoned is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote