Solved

What to allow as password?

Posted on 2010-11-29
12
330 Views
Last Modified: 2012-06-27
Hi,

Currently I use regexp to check the format of a password.
At the moment I only allow 0-9, a-z, A-Z

I bet some users find that annoying, so I would like to accept as many as possible, but what is safe?

I such at Regular Expresions, so please post that too if possible :)
0
Comment
Question by:kgp43
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236509
You can also include special chars?

for example,  alphabetic + numeric +  special characters
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236512
0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236514
just ref.
ref. this link
0
 

Author Comment

by:kgp43
ID: 34236528
I do not want to force to the user to use numbers, capitals etc - thats up to them.
I just want to make sure he isnt using some "illegal" chars? what should I reject?
0
 
LVL 18

Accepted Solution

by:
Sudaraka Wijesinghe earned 250 total points
ID: 34236573
I would allow anything user can enter and store the hash (md5) of the password in the DB or whatever.
0
 

Author Comment

by:kgp43
ID: 34236628
I'm already using sha256 + salt on password.
Guess there will be no problem then.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 7

Assisted Solution

by:lexlythius
lexlythius earned 250 total points
ID: 34236640
I disagree with sudaraka.
Storing the MD5 hash is unsafe. Even single SHA256 + salt is unsafe. See Thomas Ptacek's article on password hashing.

I would say a good bet is allowing all printable characters within the ASCII basic charset, which is common to all charsets and UTF encodings, like so:
if (preg_match("/^[ -~]{8,}$/", $the_password) == 1) {
	echo "password ok";
}
else {
	echo "illegal password";
}

Open in new window


That will allow any combination of at least 8 printable ASCII characters.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236641
Yes, that would be just fine.
0
 

Author Comment

by:kgp43
ID: 34236651
That is awesome, giving points to both of you.

Thanks for the help, this is great :)
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236666
@lexlythius, What I meant to say if using a hashing method like md5 (or sha) you don't have to worry about what user enters for the password. Slashes (\/), quotes ("') or wildcard characters (%?*) that might give trouble in the storage or processing will not come into play when using hashes.


Also if your hash produce a binary string, you might want to use something like base64 encoding.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236669
Glad to help. Thanks for the points.
0
 
LVL 7

Expert Comment

by:lexlythius
ID: 34241031
@sudaraka I see what you mean.

Anyway, handling strings with different encodings is tricky, so a charset or encoding mismatch can mess up the hash matching.

Personally, I'd rather loose some password entropy to risk that chance. But it is a matter of taste I guess.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now