On Thu, 23 Jul 2015 09:50:23 +0200, Stefan Heymann <li...@stefanheymann.de> wrote: > In the FB3 Release Notes the chapter about "Increased Password Length" > speaks of a maximum of 20 *bytes*. The second blue box in this chapter > then asks: > > Why is the password effectively limited to 20 *characters*?
There is no 20 character limit on passwords in Firebird 3 (there however is an internal implementation limit, of - IIRC - 256 bytes). The passwords are hashed to a 160 bit (or 20 byte) hash, which has lead to the - in my opinion - unfortunate use of "effective length/limit of 20 characters" in the documentation. This is cryptographically inaccurate, and even when applying the pigeonhole principle with commonly used password characters, that 'effective' limit would be more than 20 characters. As long as you use a password that fits within the implementation limit, it will be fully hashed, and distinct from a password that is just the prefix of that password. But, because of the pigeonhole principle, it is of course possible that two different passwords generate the same hash, so bruteforcing passwords might find a (shorter) password that matches the hash, even though it is not the password you used (this is what the 'effective limit' refers to). > It is unclear from this documentation if this is about bytes or > characters. What character set is used for storing passwords? Are > these restricted to 7-Bit US-ASCII? (in this case, the number of bytes > and characters would be the same, but it should be clear from the > documentation). Passwords aren't stored, they are hashed and the hash is stored (as OCTETS). Internally for passwords I believe UTF-8 is used. However that is not really relevant for the length requirements: there is no length limitation on passwords (apart from the above mentioned implementation limit); there is just a limit on the amount of security a longer passwords provides due to the surjective nature of hashing algorithms (and that 'limit' is more than 20!). Mark ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
