Is password recovery required?

Question

Is password recovery required?

I try to misinform any data entered, making sure that the data is valid for a specific field (for example, the name cannot contain special characters / numbers, etc.). However, I'm not sure what to do when it comes to the password field. Do I even have to worry about any disinfection as the password is just hashed? If a user has to enter something malicious through the password text box, should I worry about checking for something suspicious? AFAIK, some users may (must!) Have special characters, such as '<>', which usually triggers a potential attack warning. Should I just leave the password field unanalyzed? Limiting password entry is a last resort for me, because I believe that users should use all kinds of characters in their passwords.

thanks

+4

security input passwords asp.net sanitization

XSL Jan 11 '10 at 21:48

source share

2 answers

If you are worried about SQL Injection attacks, you should start using parameterized queries to interact with your database. Since it is a business rule to determine which valid characters are for the password, I would not remove anything until my client says this.

All other input must be sanitized, as it can also be displayed on the output of your page and can lead to XSS attacks.

+3

Rubens farias Jan 11 '10 at 21:53

source share

Eric Petroelje · Accepted Answer · 2010-01-11T21:53:21+0000

As long as you use it in your application, you should be fine.

Disable the theme, given that you are using asp.net, but the notable exception is that if you use PHP and MySQL and do something like this:

UPDATE users SET password = PASSWORD('$pwd') WHERE userid = $uid

In this case, you will first want to clear $ pwd first.

Is password recovery required?

More articles: