Accepted Password Characters Standard Please???
I could be completely wrong, but to my knowledge there is not a Standard for accepted password characters. For those of you that have ever developed an authentication/account management system on the web, you know that deciding what password characters you are going to accept is somewhat of a pain. You want to protect against multiple types of injection attacks, yet still provide your users with as much flexibility as possible. Every type of user input on your site is one more gateway to a malicious hay day.
When developing your own system, the accepted password characters are up to you. You make the decision based on what type of security you want to provide your users. They choose the password that follows your guidelines and case dismissed. Here is the show stopper. What if the project you were developing actually managed passwords from other sites? Then you have to be able accept dang near every character there is yet still protect your users and yourself against injection attacks.
When other sites (Some Big Names) allow characters such as:
' " < > ? { } ....
You are now forced to allow your users the ability to enter these characters so that you can manage their actual passwords. Allowing these characters is like handing them a loaded gun and saying, "I trust you won't shoot me".
Using input sanitation techniques is out of the question. Your normal password is stored after being ran through a Hash Function (md5, sha1, sha256, etc). Your sanitation strips characters for protection and creates the hash. Repeating this process every time the user enters their password will result in the hashes matching and the user will authenticate. The user never knows that characters are actually being stripped. When using Symmetric Key Algorithms such as TDES and AES, your recovered clear text must match the users initial submitted clear text. See the problem??
There are ways around these problems and I use them quite regularly, however a strict password character standard could solve all our woes.
Bye Bye Bible Run
The Bible Run has officially been ended by yours truly. I gave it the old "rm -rf" for the geeks out there. I am as much to blame as everyone else. I honestly think that Sozo would have been the only one to stick with it (Great Job Bro). A straight through reading of the bible is probably not the best approach. I hope many of you are still reading the bible daily. It was fun while it lasted.
It has been a while
I figured I would make post and catch everyone up. As you probably already know I have not made a post in sometime. I have been pouring blood, sweat, and tears into an "Identity Protection Suite" I like to call DEFYGO. We are currently finishing up some of the latest features and we are getting ready to do some advanced testing. Basically, I am going to try to break it every way I can so that we can debug as much as possible. After about 10,000+ lines of Server/Client side code, it is nice to finally do some testing. Who knows, it might just be available for download in the near future. Expect a link!
Are you up for the CHALLENGE??
I am personally challenging all those who read my blog to join "The Bible Run". It is a little idea that I have come up with and want to share with all those that are interested. The question is, "Can You Handle It".
Are you in my class?
I just found out about 5 minutes ago that I am officially teaching "Network Systems Security I" online for the Telecommunications Systems Management program at Murray State University. The class number is TSM 352 and it is only taken by students who are specializing in InfoSec. This is an exciting opportunity and I plan teach more classes next semester.
Addition: I wanted to clarify that I am actually teaching this online.
