?
Solved

What to allow as password?

Posted on 2010-11-29
12
Medium Priority
?
337 Views
Last Modified: 2012-06-27
Hi,

Currently I use regexp to check the format of a password.
At the moment I only allow 0-9, a-z, A-Z

I bet some users find that annoying, so I would like to accept as many as possible, but what is safe?

I such at Regular Expresions, so please post that too if possible :)
0
Comment
Question by:kgp43
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236509
You can also include special chars?

for example,  alphabetic + numeric +  special characters
0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236514
just ref.
ref. this link
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:kgp43
ID: 34236528
I do not want to force to the user to use numbers, capitals etc - thats up to them.
I just want to make sure he isnt using some "illegal" chars? what should I reject?
0
 
LVL 18

Accepted Solution

by:
Sudaraka Wijesinghe earned 1000 total points
ID: 34236573
I would allow anything user can enter and store the hash (md5) of the password in the DB or whatever.
0
 

Author Comment

by:kgp43
ID: 34236628
I'm already using sha256 + salt on password.
Guess there will be no problem then.
0
 
LVL 7

Assisted Solution

by:lexlythius
lexlythius earned 1000 total points
ID: 34236640
I disagree with sudaraka.
Storing the MD5 hash is unsafe. Even single SHA256 + salt is unsafe. See Thomas Ptacek's article on password hashing.

I would say a good bet is allowing all printable characters within the ASCII basic charset, which is common to all charsets and UTF encodings, like so:
if (preg_match("/^[ -~]{8,}$/", $the_password) == 1) {
	echo "password ok";
}
else {
	echo "illegal password";
}

Open in new window


That will allow any combination of at least 8 printable ASCII characters.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236641
Yes, that would be just fine.
0
 

Author Comment

by:kgp43
ID: 34236651
That is awesome, giving points to both of you.

Thanks for the help, this is great :)
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236666
@lexlythius, What I meant to say if using a hashing method like md5 (or sha) you don't have to worry about what user enters for the password. Slashes (\/), quotes ("') or wildcard characters (%?*) that might give trouble in the storage or processing will not come into play when using hashes.


Also if your hash produce a binary string, you might want to use something like base64 encoding.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236669
Glad to help. Thanks for the points.
0
 
LVL 7

Expert Comment

by:lexlythius
ID: 34241031
@sudaraka I see what you mean.

Anyway, handling strings with different encodings is tricky, so a charset or encoding mismatch can mess up the hash matching.

Personally, I'd rather loose some password entropy to risk that chance. But it is a matter of taste I guess.
0

Featured Post

WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question