In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
There is no good reason so send the passwors itself to the server. Send the hash and you will have a fixes length of data to send anyway.
And even if insist in sending the password over the wire, there is no problem on the backend to handle longer passwords than that, so that no one will run into a limit in practice. We’re talking about bytes here, not even a kb.
Proper hashing of a password includes a salt that should be kept private. This means the password should definitely be passed to the server in plaintext. The server adds the salt to the password, then hashes it.
This adds more protection should an attacker somehow manage to get access to your hashed passwords. Even if they identify the type of hashing mechanism used it will prevent the use of rainbow tables, dictionary attacks, etc. against the hashes.
While I’m not arguing for doing the crypto client side, the salt isn’t needed to be private - only unique.
It definitely needs to be private. If an attacker can obtain both the password hashes and the salt(s) (via the same database vulnerability for example) then they have everything they need to run offline attacks against the passwords.
No, it most definitely does not need to be private. The idea with salt is to invalidate rainbow tables. If you’re “keeping it private” it’s just another password.
https://en.wikipedia.org/wiki/Salt_(cryptography)
If that were the case you could still hash it on the client side, forcing it to be a certain size and then hash it again on the server with the right salt. I don’t think there’s a real disadvantage to hashing a hash.
you absolutely should not be hashing client side. You need to securely transmit the password to the server where it is hashed. You do not want clients knowing /how/ the password is salted/hashed. this lowers your security overall.
There’s some software that hashes the password clientside before sending it, sure. But it still should be hashed serverside too.
If the server hashes a hash, the plaintext password’s length is still irrelevant
That’s not true. There’s limits everywhere.
At no point the server has to deal with the length of the plaintext