blackstrat

On a tangentially related note, this documentary series from BBC4 is a fascinating insight into the decision making process the US went through over dealing with foreign mass atrocities over the past 40 years: Iraq, Bosnia, Rwanda, Syria etc.

Warning: they do not hold back with the imagery of these events.

Corridors of Power: Should America Police the World?

Last year I went from a 10 year old Nikon D7100 with 17-55 f/2.8 to a Nikon Z6 with 24-70 f/4 and holy moly there is an insane difference in quality. I was absolutely blown away. If you can afford it I highly recommend getting something newer. It really breathed fresh air in to my photography and got me excited that I can get really sharp photos, even at high ISOs with good tracking.

Then in a few years you'll be gassing for those 3k lenses a 5k camera and a carbon fibre tripod, a few flashguns etc.

This, but in big friendly letters.

"Soap is soap, it's self cleaning"

That would involve quite a bit of begging if I were to try that too.

You were saying the input size doesn't matter because you only store the hash which is always the same size. What I'm saying is that the input size really does matter.

You absolutely should set upper limits on all input fields because it will be abused if you don't. Systems should validate their inputs, passwords included

Who mentioned reliability? I'm thinking of the red mist taking himself out forcing an overtake that isn't on.

You can make a client hash it, but if you don't reject large inputs to your API a client can send enough data to DOS you anyway.

The resulting hash will always be the same size, but you don't want to have an unlimited upper bound otherwise I'm using a 25GB blueray rip as my password and your service is going to have to calculate the hash of that whenever I login.

Sensible upper bounds are a must to provide a reliable service not open to DDOS exploits.

Not necessarily. Presumably the change password form requires entering the old and new password at the same time. Then they can compare the two as plain text and hash the old password to make sure it matches, then if so, hash the new password and overwrite it. Passwords stored hashed, comparison only during the change process. A theme on this is checking password complexity rules during the login process and advising to update to something more secure. It's possible because you're sending the password as plain text (hopefully over a secure connection), so it can be analysed before computing the hash. This even works if the hash is salt and peppered.