What are the security implications (if any) of allowing any password? -


as ars , many others have pointed out, large organizations extensive, presumably intelligent departments employ rules password creation not in best interest of security.

sometimes though, still hard understand why applications restrict characters allow others, , why other applications have rules contrast other applications. of makes me feel missing something.

i have been taught never trust raw input user, feels wrong allow input user , not validate it, conflicted. in case feel there strong argument allowing user enter anything, , not validate (because there no need).

for illustrative reasons, take following hypothetical user registration system:

a hypothetical user registration system

  1. a user navigates form registering account website.
  2. among other inputs, user prompted password. user told may enter desired password. there no rules. can absolutely string of characters.
  3. upon receiving submitted form (or request, legitimate or malicious), server not validate password field: hashes whatever given.
  4. the hash stored in database use later.

for instance, in php:

password_hash($_post['password'], password_default);

if there any, security implications of system?

is there kind of specially-crafted request can possible submit cause unintended consequences in system? if so, please provide examples.

would server-side languages susceptible attacks this, others not? ones?

again, system illustrative. please not argue merits or downfalls system may have in terms of security of users' passwords themselves, security implications may have on system itself.

the common reason preventing characters developers don't know how correctly handle passwords in whatever language working in, , rather learn so, try limit data accept (often incorrectly). alternately, rely on third party components handle passwords incorrectly , believe powerless fix this. (this described in article link.)

if code precisely describe, no fancy javascript in middle touching input, no middleware unpacking data structures, no logging systems writing passwords, no writing raw passwords database, no sql queries built strings might include password, no unhashed passwords in database, no incorrectly encoded strings in urls, etc., yeah, it's great. it's perfect (i'd rather apply hashing before posting server, there arguments there either way).

in modern applications, developers slap of things mentioned in last paragraph, , apply layer of hope , prayer , scramble patch when publishes exploit. in last paragraph horrible, , common.

so if see restrictions on characters acceptable, means password handling system either built poorly or developers don't trust it. common, restrictions common.


Comments

Post a Comment

Popular posts from this blog

sublimetext3 - what keyboard shortcut is to comment/uncomment for this script tag in sublime -

Image
i have script tag in code, keyboard shortcut comment/uncomment script tag in sublime. after selecting script open , close tag. <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script> i pressing ctrl + shift + / , getting this /*<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script>*/ also pressed ctrl + / , got this // <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> // </script> instead of <!-- <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script> --> script open , close tag in 2 lines not in 1 line , not have spaces too. for mac,high light lines want comment. hold 'command , / ' commented. for windows: high line or select lines ,then hold ctrl + / if not work: ...
Read more

java - No use of nillable="0" in SOAP Webservice -

i have received xsd 3rd party supplier generated java based system; used create soap endpoint receive data transfers. xsd not make use of nillable attribute defined within w3c/xsd namespace, example: <xs:complextype name="customer"> <xs:sequence> <xs:element minoccurs="1" maxoccurs="1" name="id" type="xs:integer"/> <xs:element minoccurs="0" maxoccurs="1" name="titleid" type="xs:integer"/> <xs:element minoccurs="0" maxoccurs="1" name="firstname" type="xs:string"/> <xs:element minoccurs="0" maxoccurs="1" name="familyname" type="xs:string"/> <xs:element minoccurs="0" maxoccurs="1" name="previousname" type="xs:string"/> <xs:element minoccurs="0" maxoccurs="1" nam...
Read more

ubuntu - Laravel 5.2 quickstart guide gives Not Found Error -

edit: think problem due not setting apache properly, these 2 links helped me. solution: http://laravel.io/forum/06-11-2014-not-found-but-route-exists https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts end edit i'm following laravel 5.2 quickstart guide. https://laravel.com/docs/5.2/quickstart i'm running ubuntu 14.04.2 the website runs initially, when click on add task button run 404 not found error. as per guide run following commands setup complete quickstart project. git clone https://github.com/laravel/quickstart-basic quickstart cd quickstart composer install php artisan migrate additionally run following commands because i'm on ubuntu server: sudo chown -r www-data.www-data quickstart sudo chmod -r 755 quickstart sudo chmod 777 quickstart/storage the routes.php file looks like: <?php use app\task; use illuminate\http\request; route::group(['middleware' => ['web']]...
Read more