Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The question was:

> How is exposing length of a password a vulnerability?

You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed.



Any password of a length that could feasibly be cracked by way of brute force (So up to perhaps 8?) would only save 1/N of the total time taken to crack it with N being the length if one were to know the exact length.

So yes, sure, technically there is an effect, but it's such a small effect, and only for people that should change their damn passwords already, that it's worth making the change for the improved UX.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: