Solved

What to allow as password?

Posted on 2010-11-29
12
336 Views
Last Modified: 2012-06-27
Hi,

Currently I use regexp to check the format of a password.
At the moment I only allow 0-9, a-z, A-Z

I bet some users find that annoying, so I would like to accept as many as possible, but what is safe?

I such at Regular Expresions, so please post that too if possible :)
0
Comment
Question by:kgp43
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236509
You can also include special chars?

for example,  alphabetic + numeric +  special characters
0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236514
just ref.
ref. this link
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:kgp43
ID: 34236528
I do not want to force to the user to use numbers, capitals etc - thats up to them.
I just want to make sure he isnt using some "illegal" chars? what should I reject?
0
 
LVL 18

Accepted Solution

by:
Sudaraka Wijesinghe earned 250 total points
ID: 34236573
I would allow anything user can enter and store the hash (md5) of the password in the DB or whatever.
0
 

Author Comment

by:kgp43
ID: 34236628
I'm already using sha256 + salt on password.
Guess there will be no problem then.
0
 
LVL 7

Assisted Solution

by:lexlythius
lexlythius earned 250 total points
ID: 34236640
I disagree with sudaraka.
Storing the MD5 hash is unsafe. Even single SHA256 + salt is unsafe. See Thomas Ptacek's article on password hashing.

I would say a good bet is allowing all printable characters within the ASCII basic charset, which is common to all charsets and UTF encodings, like so:
if (preg_match("/^[ -~]{8,}$/", $the_password) == 1) {
	echo "password ok";
}
else {
	echo "illegal password";
}

Open in new window


That will allow any combination of at least 8 printable ASCII characters.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236641
Yes, that would be just fine.
0
 

Author Comment

by:kgp43
ID: 34236651
That is awesome, giving points to both of you.

Thanks for the help, this is great :)
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236666
@lexlythius, What I meant to say if using a hashing method like md5 (or sha) you don't have to worry about what user enters for the password. Slashes (\/), quotes ("') or wildcard characters (%?*) that might give trouble in the storage or processing will not come into play when using hashes.


Also if your hash produce a binary string, you might want to use something like base64 encoding.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236669
Glad to help. Thanks for the points.
0
 
LVL 7

Expert Comment

by:lexlythius
ID: 34241031
@sudaraka I see what you mean.

Anyway, handling strings with different encodings is tricky, so a charset or encoding mismatch can mess up the hash matching.

Personally, I'd rather loose some password entropy to risk that chance. But it is a matter of taste I guess.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question