Solved

What to allow as password?

Posted on 2010-11-29
12
332 Views
Last Modified: 2012-06-27
Hi,

Currently I use regexp to check the format of a password.
At the moment I only allow 0-9, a-z, A-Z

I bet some users find that annoying, so I would like to accept as many as possible, but what is safe?

I such at Regular Expresions, so please post that too if possible :)
0
Comment
Question by:kgp43
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236509
You can also include special chars?

for example,  alphabetic + numeric +  special characters
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236512
0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 34236514
just ref.
ref. this link
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kgp43
ID: 34236528
I do not want to force to the user to use numbers, capitals etc - thats up to them.
I just want to make sure he isnt using some "illegal" chars? what should I reject?
0
 
LVL 18

Accepted Solution

by:
Sudaraka Wijesinghe earned 250 total points
ID: 34236573
I would allow anything user can enter and store the hash (md5) of the password in the DB or whatever.
0
 

Author Comment

by:kgp43
ID: 34236628
I'm already using sha256 + salt on password.
Guess there will be no problem then.
0
 
LVL 7

Assisted Solution

by:lexlythius
lexlythius earned 250 total points
ID: 34236640
I disagree with sudaraka.
Storing the MD5 hash is unsafe. Even single SHA256 + salt is unsafe. See Thomas Ptacek's article on password hashing.

I would say a good bet is allowing all printable characters within the ASCII basic charset, which is common to all charsets and UTF encodings, like so:
if (preg_match("/^[ -~]{8,}$/", $the_password) == 1) {
	echo "password ok";
}
else {
	echo "illegal password";
}

Open in new window


That will allow any combination of at least 8 printable ASCII characters.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236641
Yes, that would be just fine.
0
 

Author Comment

by:kgp43
ID: 34236651
That is awesome, giving points to both of you.

Thanks for the help, this is great :)
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236666
@lexlythius, What I meant to say if using a hashing method like md5 (or sha) you don't have to worry about what user enters for the password. Slashes (\/), quotes ("') or wildcard characters (%?*) that might give trouble in the storage or processing will not come into play when using hashes.


Also if your hash produce a binary string, you might want to use something like base64 encoding.
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 34236669
Glad to help. Thanks for the points.
0
 
LVL 7

Expert Comment

by:lexlythius
ID: 34241031
@sudaraka I see what you mean.

Anyway, handling strings with different encodings is tricky, so a charset or encoding mismatch can mess up the hash matching.

Personally, I'd rather loose some password entropy to risk that chance. But it is a matter of taste I guess.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question