Page 1 of 1
User Password Checks
Posted: Wed Jul 26, 2006 2:06 pm
by Bigun
Would it be all that secure to put any other password checks in besides a minimum password length?
Like a dictionary check, or a number check, etc.
Posted: Wed Jul 26, 2006 2:12 pm
by RobertGonzalez
I check string length and string content. I think d11 was working on a password strength checker (client-side) that might be useful for you.
Posted: Wed Jul 26, 2006 2:14 pm
by daedalus__
I recommend d11's script, I think it works well.
viewtopic.php?t=51588
Posted: Wed Jul 26, 2006 4:05 pm
by Ward
I usually restrict to alphanumeric plus a few special characters, like !@#$%^&*-_. This can be easily checked server-side with a regex.
Posted: Wed Jul 26, 2006 5:39 pm
by Ambush Commander
Really, you shouldn't need to restrict passwords (theoretically speaking, there's no reason why it couldn't be binary data. Makes dictionary attacks a lot harder

)
String length, content in terms of composition of characters, digits, etc, perhaps an AJAX based server side dictionary check. Anything beyond that's just education.
Posted: Wed Jul 26, 2006 5:50 pm
by daedalus__
If you are hashing it, it could be any character as it wouldn't matter what it's made up of because only a hash is going in the db.
Posted: Wed Jul 26, 2006 7:29 pm
by Jenk
If you do allow 'any' character, make sure you're using strongly implemented encoding.
Posted: Wed Jul 26, 2006 11:22 pm
by RobertGonzalez
Daedalus- wrote:If you are hashing it, it could be any character as it wouldn't matter what it's made up of because only a hash is going in the db.
Stronger character patterns are harder to guess at the entry point. I think that is the point of a strong password. When all is said and done, passwords are still entered in plain text in a users browser and passed through HTTP to a server. The harder to guess the better the password.
Posted: Wed Jul 26, 2006 11:39 pm
by daedalus__
i was giving that as a reason he doesn't need to restrict the characters that a user can use...