How difficult would it be to expand the password field to 255 characters or so?

[mechahamham]

I prefer to use, when I can, passphrases.

 

I logged in today after a few days only to see 'This account is already logged in'. After a quick check of my characters to make sure nothing obvious had been disturbed, I immediately changed my password. I doubt anything malicious has happened. Chances are I closed out while still on a flashback or TF. Still, I'd kinda like to have a longer password than 15 characters, at least until we get something like 0auth or some form of 2fa.

 

I've not looked at the Ourodev authentication code (or any of the code, really). I don't know how that password field is saved. If it's a varchar in an SQL database, it seems like an 'alter table/modify column' wouldn't be terribly ornerus.

 

I say that, and it's probably a set-width string or, worse, a null-terminated C string.

[aethereal]

It.  Hopefully is stored as a hash.  So the input size shouldn't really matter.

[mechahamham]

13 minutes ago, aethereal said:

It.  Hopefully is stored as a hash.  So the input size shouldn't really matter.

Salted and peppered hash (encryption terms and not cooking terms) is best practice, really. I vaguely remember reading something about work being done on the auth database to bring it up to modern levels, though, which makes me worry that it's not.

 

I'm the sort that doesn't really trust password authentication on its own. It's a good 'first layer', so long as you ALWAYS use a different password for every different resource.

 

There are good free pw managers out there, but I use an encrypted disk container for those I don't memorize and try to change them often.

 

(Why yes, I do talk to a doctor about my paranoia. Why do you ask?)

Edited January 5, 2021 by mechahamham
Correction.