Page 1 of 1
Password Maximum Length
Posted: Fri Jul 21, 2006 11:08 pm
by Benjamin
When your running md5 on a password before you save it to the database, is their any point at all to check the content of the password, or it's maximum length?
Take the following for example..
Code: Select all
$password = md5($_POST['password']);
$password is now just a 32 character string. The real password could be anything, of any length.
So, I am assuming that checking to make sure the password is less than X characters is pointless.
Am I correct?
Posted: Fri Jul 21, 2006 11:22 pm
by feyd
no, it is not pointless. Reasons why is to do a sanity check on how potentially strong the password is. The longer the password is, the more secure it potentially becomes. Checking for it having w lowercase, x uppercase, y numbers, and z symbols would add more security checking of the password.
Posted: Fri Jul 21, 2006 11:38 pm
by Benjamin
I'm sorry, I meant that besides checking the minimum length and the content for strength, there isn't any reason to limit the length or disallow any specific characters.
Posted: Fri Jul 21, 2006 11:43 pm
by feyd
There's no reason to have a maximum length, only a minimum.
Posted: Fri Jul 21, 2006 11:55 pm
by Benjamin
Ok cool just checking.
Posted: Sat Jul 22, 2006 6:05 am
by Chris Corbyn
~astions. MD5 works on binary strings and ascii strings so the password could be anything really. Disallowing characters just means your users have less chance of picking a strong password.
Posted: Sat Jul 22, 2006 6:07 am
by Benjamin
Yeah I know, I just wanted to make sure there weren't any issues with it being like 4000 characters or something. This makes me wonder why yahoo, hotmail and almost every large web site limits the length of your password

Posted: Sat Jul 22, 2006 6:15 am
by Chris Corbyn
The length could be quite large. The only limitations would be on the web servers setting for maximum post data size.
Posted: Sat Jul 22, 2006 9:42 am
by Ambush Commander
Hehe, a 42kb password. But yes, I take the view that filtering password input is unnecessary.
Posted: Sat Jul 22, 2006 11:17 am
by kbrown3074
Ok..since I havent used it..what exactly is md5()? I could search on it..but too lazy

Posted: Sat Jul 22, 2006 11:23 am
by Ambush Commander
It's a hash function.

<- that means search