Appendix A.2 - rationale for limiting password length

[si-chan]

The Appendix currently states in section 2: "Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit."

The excessive hashing time, whilst of concern to the CSP, is probably not the main factor preventing arbitrarily long memorised secrets (passwords), since the user must firstly memorise such a long password / passphrase and secondly, enter it somehow (presumably through a manual input mechanism). The example given of "megabytes" is unreasonable given these human constraints.

Consider revising the language to reference the number of characters rather than total information storage required, as this is more human-context terminology.

For example:
"Extremely long passwords (perhaps several hundred characters in length), could conceivably require excessive input time by the subscriber, or consume excessive resources at the CSP to hash the password, so it is reasonable to have some limit."

[elvey]

1. It already says elsewhere, "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."

2. Products of advances in cryptography and/or quantum computing technology may progress from posing potential threats to currently solid cryptography algorithms, to being attack tools usable in the real world. If so, it may turn out to be the case that very long passwords, stored by password managers, would be a useful countermeasure. It's thus perhaps not appropriate to presume manual input. Still, I doubt multi-kilobyte, let alone multi-megabyte passphrases will ever be useful. OTOH, history suggests caution; IPv4 space and 640K of addressable RAM were once assumed to be more than would ever be needed.