Geek Answers Handbook

Should user passwords be limited to a specific character set or strength?

Just finish your registration / login / logout, etc., enter the functionality of my site, and I was curious. Should a user be forced to have a password that matches a specific strength or character set?

Example 1, forcing them to use an alphanumeric password> 8 in length

Example two, only allowing them to use alphanumeric characters and some special characters (for example :! @ # $%).

The first example is, of course, a good thing to ensure security on a sensitive site such as Banking, but I can’t think of good reasons to limit the user’s password characters. As long as the string is cleared for SQL injection, should it not matter that they use the character correctly?

EDIT

And of course the password hashed

+4
source share
2 answers

Please do not tell me which characters I cannot use in my passwords.

You must support the full range of Unicode code points in passwords, with the possible exception of ASCII control characters ( \0 - \0x20 ).

You are responsible for ensuring that any normal character works in a password, including spaces, quotation marks, and backslashes.

Passwords cannot be vulnerable to SQL injection, since the database should never see the actual password . You must use and use your passwords before they enter the database. (use bcrypt)

Minimum difficulty requirements are a double-edged sword. If you need a password that is too hard to remember for your users, they end up writing it somewhere, and probably somewhere nearby.
At least you need 6 characters and at least two of AZ , AZ , 0-9 or any other character.

+3
source

SQL injection should not matter much: you must hash it before it ever reaches the database. There is really no reason to limit the character set.

+1
source

More articles:


All Articles