Hacker News new | past | comments | ask | show | jobs | submit login

It becomes problematic when it needs to be hashed, you can essentially DDOS servers by sending extremely long passwords that need to be hashed.



Realistically speaking, the hash would be your smallest problem if you're being DDoSed.

Bcrypt for example would require at most ~6.4Mb of memory to do the hash, and more realistically only the 100k plus some constant. And modern CPUs are pretty efficient at doing the encryption steps, meaning little additional load for encrypting a larger value.


[flagged]


Attacking another user like that will get you banned here. No more of that, please.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.


Part of why I prefer to have authentication on a separate server... if it gets ddos'd at least existing sessions can carry on.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: