← Back to context

Comment by grahamel

10 years ago

What is really frustrating about this is when I asked them why they reply "we've chosen these limits to make sure your online password is secure"

2 comments

grahamel

Reply
reinhardt  10 years ago

I can imagine your facepalm.. Wondering how many of these "up to N characters" rules are actually there because there is a `password CHAR(N)` DDL declaration for storing plaintext passwords...

  • tracker1  10 years ago

    I tend to set password fields to varchar(400), though it's encoding info and base64 hashes.

        encoding\options\base64-salt\base64-hash-of-normalized-utf8

    I keep the encoding/options so it can be backwards compatible on change... when an encoding/options isn't the current when the user logs in, it will be re-encoded/saved in the current... this is so that security can be upgraded over time.

    Run normalization on composite unicode characters & look-a-likes before encoding.

    I do one thing some consider bad, which is strip leading/trailing whitespace which is more often a copy-paste error, not actual password entry.