Sure, nobody leaves the front door open on the password file any more. But breaches occur regularly and the password files leak...
You are optimizing for a very specific case:
* Even Linux is willing to let you use long passwords where
anything past 8-characters are quietly ignored—if you set things
up wrong. I've twice discovered this where I didn't set it up that
way, a system installation script did.
But there are a lot of ways for people to get security wrong, by
the time they let their password data leak you need to assume
things are very broken.
What makes you think there is any hashing going on at random
I have a large collection of plain-text passwords that have
publicly leaked, where did I get those? That doesn't smell like
hashing to me. Why do so many sites have password length and
severe password content restrictions? That doesn't smell like
hashing to me.
Do you have an ATM card? Well, if someone finds a way into your bank's computers that isn't via your PIN, then it didn't happen because your PIN was too short. And if you have to change your PIN as part of the cleanup, your new one doesn't have to be any longer than was your old one. The PIN wasn't the problem.
By telling people that every password has to be unmanageably long, you are effectively discouraging people from using difficult passphrases when it really does matter: for encryption.
_______________________________________________ The cryptography mailing list cryptography AT metzdowd.com https://www.metzdowd.com/mailman/listinfo/cryptography