V2.1.2 Verify that passwords 64 characters or longer are permitted but may be no longer than 128 characters.

[Sjord]

V2.1.2 Verify that passwords 64 characters or longer are permitted but may be no longer than 128 characters.

This requirement could use improvement on the subject of English grammar.

Verify that passwords 64 characters or longer

This is missing an "of", so should be "passwords of 64 characters or longer".

but may be no longer than 128 characters.

This subsentence is missing a subject, and the previous subsentence doesn't have a clear subject, since it's imperative.

I suggest:

Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied.

The upper limit was introduced in #756. @ThunderSon suggested:

V2.1.2 Verify that passwords allow for long passwords (e.g. 64 characters) and have an upper bound limit (e.g. 128 characters).

@tghosth suggests:

V2.1.2 Verify that passwords of up to 64 characters are allowed but no more than that to avoid resource overuse and other bugs.

Or:

V2.1.2 Verify that passwords of up to 64 characters are allowed but no more than that to avoid resource overuse and the bcrypt truncation bug.

The sentence we have now was introduced by @jmanico in 336c235.

I don't want to discuss the value of the upper bound, just improve this requirement's language.

[jmanico]

Your language change sounds reasonable to me. It may be helpful to throw all requirements through a grammar checking program like Grammerly.

…

-- Jim Manico @manicode

On Dec 23, 2020, at 11:43 PM, Sjoerd Langkemper ***@***.***> wrote:  V2.1.2 Verify that passwords 64 characters or longer are permitted but may be no longer than 128 characters. This requirement could use improvement on the subject of English grammar. Verify that passwords 64 characters or longer This is missing an "of", so should be "passwords of 64 characters or longer". but may be no longer than 128 characters. This subsentence is missing a subject, and the previous subsentence doesn't have a clear subject, since it's imperative. I suggest: Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied. The upper limit was introduced in #756. @ThunderSon suggested: V2.1.2 Verify that passwords allow for long passwords (e.g. 64 characters) and have an upper bound limit (e.g. 128 characters). @tghosth suggests: V2.1.2 Verify that passwords of up to 64 characters are allowed but no more than that to avoid resource overuse and other bugs. Or: V2.1.2 Verify that passwords of up to 64 characters are allowed but no more than that to avoid resource overuse and the bcrypt truncation bug. The sentence we have now was introduced by @jmanico in 336c235. I don't want to discuss the value of the upper bound, just improve this requirement's language. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.