开发者

Should a user's passwords be limited to a specific character set or strength?

Just finishing up my signup/login/logout etc... type functionality of my site and I was curious. Should a user be forced to have a password that meets a certain strength or character set?

Example one, forcing them to use a alphanumeric password of length > 8

Example two, only allowing them to use alphanumeric characters and some special characters (ie: !@#$%).

The first example is obviously a good thing to enforce on a sensitive site such as Banking but I can't think of a good reason to limit a user's password characters. As long as the string is cleaned for sql injecti开发者_C百科on, it shouldn't matter what they use character wise right?

EDIT

And of course the password is being HASHED


Please, don't tell me what characters I can't use in my passwords.

You should support the full range of Unicode code points in passwords, with the possible exception of ASCII control characters (\0\0x20).

It is your responsibility to make sure that any normal character will work in a password, including spaces, quotes, and backslashes.

Passwords cannot be vulnerable to SQL injection, since the database must never see the actual password. You should hash and salt your passwords before they get anywhere near the database. (use bcrypt)


Minimum complexity requirements are a double-edged sword. If you require a password that is too complicated for your users to remember, they will end up writing it down somewhere, and probably somewhere close at hand.
At the very least, you should require 6 characters and at least two of A-Z, a-z, 0-9, or any other character.


SQL injection should not really matter: you should be hashing it before it ever reaches the DB. There really is no reason to limit the character set.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜