Comment by reinhardt
10 years ago
I can imagine your facepalm.. Wondering how many of these "up to N characters" rules are actually there because there is a `password CHAR(N)` DDL declaration for storing plaintext passwords...
10 years ago
I can imagine your facepalm.. Wondering how many of these "up to N characters" rules are actually there because there is a `password CHAR(N)` DDL declaration for storing plaintext passwords...
I tend to set password fields to varchar(400), though it's encoding info and base64 hashes.
I keep the encoding/options so it can be backwards compatible on change... when an encoding/options isn't the current when the user logs in, it will be re-encoded/saved in the current... this is so that security can be upgraded over time.
Run normalization on composite unicode characters & look-a-likes before encoding.
I do one thing some consider bad, which is strip leading/trailing whitespace which is more often a copy-paste error, not actual password entry.