Wednesday, May 10, 2017

It's hard to do passwords worse than this

found on Kappit

It's hard, but it's not impossible. A SQL injection vulnerability in the password field would be worse, however treating it as a SQL injection vulnerability first and blocking "special characters" would be the wrong solution. There can be no SQL injection vulnerability if the data the user inputs isn't the data that gets put in the database - so hash your passwords!

As for the complexity requirements, everything other than length is basically garbage that makes passwords worse by making them less user friendly (and so more likely to be reused or posted on a screen or wall) and easier for a computer to guess because it actually removes many of the possible combinations.