Anthony, SQL Sorcerer

Intimation? Intimidation, Anthony! Please can we have an edit feature for tweets, @Twitter?

For the record, I did not know this until recently. Check out the http://HackerOne.com  sign-up and sign-in pages and notice that they impose a 72 character limit, too!

So, as we've all learned that plain-text passwords are bad, not to use md5 or sha1, to not encrypt passwords, and all the other steps that we all go through at some point, now you've learned to limit the maximum password length (assuming you didn't already know)

There are easier, cheaper, faster ways to break into your system. Like getting on a plane, flying around the world, and forcing your target to reveal the password with some form of intimation tactic (don't do this, please).

How long would it take to brute force a 72 character password hashed with BCrypt? Even with a low cost applied, there probably isn't enough time left in the universe with modern technology to crack that one.

The second is that your hash algorithm probably discards everything over a certain length, anyway. BCrypt, for example, discards everything over 72 characters.

The first is that many of us use a regex validator to check that the password meets various length and complexity rules. Regex does not perform well on large strings! Like, it can be very bad. Catastrophic backtracking, for example, is catastrophic

So what does it matter? Longer passwords are more secure, right? So why would any sane developer enforce a maximum limit? Turns out there are a couple of good reasons!

The cool thing about password hashes is that they always come out the same length. So it doesn't matter if you hash the letter A, or if you hash the entirety of War and Peace. The hash of both (assuming you used the same algorithm, obviously) will be the same length.

You know how a maximum password length on a website is a tell tale sign that the developers store your password in either plain-text or an encrypted form? Yeah, not necessarily. Why would you impose a limit if you're storing a hash of the password?

What's the answer? Damned if I know. But if you have an answer, lemme know!

Oh, sure, you can go do-not-disturb, but that's akin to locking yourself in a room on your own. Do you do that if you're based in an office? Nope.

Communicating when working remote is hard. If you're in an office together you can see if someone looks like they don't want to be distracted. You can't easily do that remotely.

If Slack isn't the greatest distraction when you're trying to work, especially when working remotely, I don't know what is.

What the hell?https://twitter.com/KawausoDashi/status/1223150664089587712 …

I spent maybe 70 hours in this game in the 90s. And now it's been completed in less than 12 minutes? What? #OcarinaOfTime #BestGameEver?https://twitter.com/Foone/status/1221158882011013120 …

Lead singer of Adam and the Ants https://twitter.com/ThatEricAlper/status/1220836243778560007 …

Haven't ordered from @Dominos_UK for years; not since they stopped making the Dominator base. Caved yesterday as I fancied their cookies. So much regret! Local pizzerias make much better pizzas, and usually considerably cheaper. Won't make this mistake again