Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modern password practices #81

Open
txtsd opened this issue Jan 27, 2022 · 0 comments
Open

Modern password practices #81

txtsd opened this issue Jan 27, 2022 · 0 comments

Comments

@txtsd
Copy link
Contributor

txtsd commented Jan 27, 2022

  1. Use password_hash() instead of crypt()
    From the crypt page: password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.
    Ideally, use it with Argon instead of bcrypt since the latter truncates passwords to 72 chars.

  2. Do not set a max password length.
    Or at the very least, set it to a sane number. 20 is ridiculously small, and subject to ridicule. 64 should be the smallest max length one should consider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant