Solved

What to allow as password?

Posted on 2010-11-29
12
331 Views
Last Modified: 2012-06-27
Hi,

Currently I use regexp to check the format of a password.
At the moment I only allow 0-9, a-z, A-Z

I bet some users find that annoying, so I would like to accept as many as possible, but what is safe?

I such at Regular Expresions, so please post that too if possible :)
0
Comment
Question by:kgp43
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236509
You can also include special chars?

for example,  alphabetic + numeric +  special characters
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236512
0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236514
just ref.
ref. this link
0
 

Author Comment

by:kgp43
ID: 34236528
I do not want to force to the user to use numbers, capitals etc - thats up to them.
I just want to make sure he isnt using some "illegal" chars? what should I reject?
0
 
LVL 18

Accepted Solution

by:
Sudaraka Wijesinghe earned 250 total points
ID: 34236573
I would allow anything user can enter and store the hash (md5) of the password in the DB or whatever.
0
 

Author Comment

by:kgp43
ID: 34236628
I'm already using sha256 + salt on password.
Guess there will be no problem then.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 7

Assisted Solution

by:lexlythius
lexlythius earned 250 total points
ID: 34236640
I disagree with sudaraka.
Storing the MD5 hash is unsafe. Even single SHA256 + salt is unsafe. See Thomas Ptacek's article on password hashing.

I would say a good bet is allowing all printable characters within the ASCII basic charset, which is common to all charsets and UTF encodings, like so:
if (preg_match("/^[ -~]{8,}$/", $the_password) == 1) {
	echo "password ok";
}
else {
	echo "illegal password";
}

Open in new window


That will allow any combination of at least 8 printable ASCII characters.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236641
Yes, that would be just fine.
0
 

Author Comment

by:kgp43
ID: 34236651
That is awesome, giving points to both of you.

Thanks for the help, this is great :)
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236666
@lexlythius, What I meant to say if using a hashing method like md5 (or sha) you don't have to worry about what user enters for the password. Slashes (\/), quotes ("') or wildcard characters (%?*) that might give trouble in the storage or processing will not come into play when using hashes.


Also if your hash produce a binary string, you might want to use something like base64 encoding.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236669
Glad to help. Thanks for the points.
0
 
LVL 7

Expert Comment

by:lexlythius
ID: 34241031
@sudaraka I see what you mean.

Anyway, handling strings with different encodings is tricky, so a charset or encoding mismatch can mess up the hash matching.

Personally, I'd rather loose some password entropy to risk that chance. But it is a matter of taste I guess.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now