User Password Checks

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

User Password Checks

Post by Bigun »

Would it be all that secure to put any other password checks in besides a minimum password length?

Like a dictionary check, or a number check, etc.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I check string length and string content. I think d11 was working on a password strength checker (client-side) that might be useful for you.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I recommend d11's script, I think it works well.

viewtopic.php?t=51588
Ward
Forum Commoner
Posts: 74
Joined: Thu Jul 13, 2006 10:01 am

Post by Ward »

I usually restrict to alphanumeric plus a few special characters, like !@#$%^&*-_. This can be easily checked server-side with a regex.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Really, you shouldn't need to restrict passwords (theoretically speaking, there's no reason why it couldn't be binary data. Makes dictionary attacks a lot harder :twisted: )

String length, content in terms of composition of characters, digits, etc, perhaps an AJAX based server side dictionary check. Anything beyond that's just education.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

If you are hashing it, it could be any character as it wouldn't matter what it's made up of because only a hash is going in the db.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

If you do allow 'any' character, make sure you're using strongly implemented encoding.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Daedalus- wrote:If you are hashing it, it could be any character as it wouldn't matter what it's made up of because only a hash is going in the db.
Stronger character patterns are harder to guess at the entry point. I think that is the point of a strong password. When all is said and done, passwords are still entered in plain text in a users browser and passed through HTTP to a server. The harder to guess the better the password.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

i was giving that as a reason he doesn't need to restrict the characters that a user can use...
Post Reply