Why limit password length?

This question is inspired by Is there any security risk in not setting a maximum password length?.

Specifically the accepted answer https://security.stackexchange.com/a/238033/9640 says limits are recommended to avoid exhausting the server.

Also it seems to me that if the server is hashing your password to a n digit hash, there is no security advantage to having a password that is longer than n digits. An entity that could reasonable brute force the n digit space, would not have to brute force the (n+1) digit space to brute force your (n+1) digit password. In practical terms, a 1000 digit password is not really more secure than a 500 digit password.

However, what about double hashing the password.

  1. The user enters a password of arbitrary length.
  2. The client hashes the password to a fixed length.
  3. The server can reject the client’s hash if it is not the fixed length (protecting the server from resource exhaustion).
  4. The server otherwise treats the client’s hash as the password and proceeds in the usual manner (it re-hashes it).

In this way, if you want a 10,000 character long password go for it. Your browser will invisibly to you, transform your 10,000 character long password to a 128 character long password (still very secure) and the only change in the server is that now the server knows that all passwords must be exactly 128 characters long so it can reject some logins more easily.

The primary benefit of this scheme is that no user will ever be told "your password is too long". I personally find this message to be disheartening. But I concede that this benefit is not monumental. So if there are any security holes that I am not seeing, this scheme is probably not worth it.

Is there any security risk in not setting a maximum password length?

I’m a listener of the podcast "Security Now" where Steve Gibson, a security expert, often claims that there are no reasons to limit the number of characters a user can use in their passwords when they create an account on a website. I have never understood how it is even technically possible to allow an unlimited number of characters and how it could not be exploited to create a sort of buffer overflow.

I found a related question here, but mine is slightly different. The author of the other question explicitly mentions in their description that they understand why setting a maximum length of 100000000 characters would be a problem. I actually want to know why it would be a problem, is it like I have just said because of buffer overflows? But to be vulnerable to a buffer overflow, shouldn’t you have a sort of boundary which you can’t exceed in the first place, and thus if you didn’t limit the number of characters, would you even have this risk? And if you are thinking about starving a computer’s RAM or resources, could even a very large password be a problem?

So, I guess it is possible not to limit the number of characters in a password: all you’d have to do would be to not use the maxlength attribute or not have a password validation function on the server side. Would that be the secure way to do it? And if it is, is there any danger in allowing an unlimited number of characters for your passwords? On the other hand, NIST recommends developers to limit passwords to 256 characters. If they take the time to recommend a limitation, does it mean there has to be one?

Using slot and application to variable length vector

I have a list of 2D coordinates with a maximum length of 3, e.g.

peakdatAB {{1007.81, 8.64842}, {1008.38, 8.19264}} 

I need to generate something like this

({PointSize[0.01], Blue, Point[#1], Red, Point[#2], Black, Point[#3]}) & @@ peakdatAB 

but here the problem is the variable length of peakdatAB as when there is say no third point, it returns an error. How can I fix this?

Algorithm- Find the length of largest subarray having sum greater than k

I tried to solve this problem but could not do it better than O(n^2).

My Algorithm: 1.calculate prefixsum 2.for i 1...n   for j 1...i  if(presum[i]-presum[j-1]>k)   ans=max(ans,i-j); 

However, this is inefficient for large values of n.Can someone help me with optimized algorithm along with code preferably in c++.

Searching for substring in field that contains variable length of arrays of json objects

I am trying to construct a sql query, that searches for a substring within a field. The issue is that the field contains an array of one or more json objects.

For example the table looks like so:

day     |   items ____________________ Sunday  | [{"apples":5, "bananas":2}, {"pears":12, "cucumbers":9}, ...] Monday  | [{"apples":6, "bananas":1}, {"watermelon": 1}] Tuesday | [{"apples":4, "bananas":3}, {"tomatoes": 1}] 

How do I construct a SQL query that searches for a substring in items given it is not a string ?

Thanks

Can message length be useful information?

Suppose a packet is encrypted and sent via an insecure channel so that it is intercepted by a malicious third party as well as the intended recipient. As long as a suitable encryption scheme is used, the message should be (practically) uncrackable.

However, assuming that encryption preserves message length to a certain degree, the third party will gain some info about the size of the message. Is there any context in which knowing only a message’s length could be useful to a hacker? If so, what are some examples?