• zqwzzle@lemmy.ca
    link
    fedilink
    English
    arrow-up
    51
    arrow-down
    1
    ·
    10 months ago

    So they’re not hashing or salting the passwords too. Cool…

        • Semi-Hemi-Demigod@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          If you do the salting and hashing in a database query you need to sanitize the input before you use it or you open yourself to SQL injection.

          Databases have salting and hashing functions, after all

    • Rednax@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      10 months ago

      Which makes me want to try and insert a password of a few megabytes worth of text. Should be fine, since there is no max lenght defined, right?

      • lars@lemmy.sdf.org
        link
        fedilink
        arrow-up
        4
        ·
        10 months ago

        If there is no overwrought prohibition of something I know that at least in America that means it’s

        1. Affirmatively legal and
        2. Legislatively encouraged by the FREEE Act

        So give ’em hell!

    • CrayonRosary@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      10 months ago

      That’s not how it works. The code always has access to the submitted plaintext password. It’s salted and hashed after it’s verified for complexity. The complexity verification can even be done in JavaScript.