Accepted Password Characters Standard Please???
I could be completely wrong, but to my knowledge there is not a Standard for accepted password characters. For those of you that have ever developed an authentication/account management system on the web, you know that deciding what password characters you are going to accept is somewhat of a pain. You want to protect against multiple types of injection attacks, yet still provide your users with as much flexibility as possible. Every type of user input on your site is one more gateway to a malicious hay day.
When developing your own system, the accepted password characters are up to you. You make the decision based on what type of security you want to provide your users. They choose the password that follows your guidelines and case dismissed. Here is the show stopper. What if the project you were developing actually managed passwords from other sites? Then you have to be able accept dang near every character there is yet still protect your users and yourself against injection attacks.
When other sites (Some Big Names) allow characters such as:
' " < > ? { } ....
You are now forced to allow your users the ability to enter these characters so that you can manage their actual passwords. Allowing these characters is like handing them a loaded gun and saying, "I trust you won't shoot me".
Using input sanitation techniques is out of the question. Your normal password is stored after being ran through a Hash Function (md5, sha1, sha256, etc). Your sanitation strips characters for protection and creates the hash. Repeating this process every time the user enters their password will result in the hashes matching and the user will authenticate. The user never knows that characters are actually being stripped. When using Symmetric Key Algorithms such as TDES and AES, your recovered clear text must match the users initial submitted clear text. See the problem??
There are ways around these problems and I use them quite regularly, however a strict password character standard could solve all our woes.
Posted by dmac at March 31, 2006 11:44 PM
