Why does registation form promote low-security passwords?


  • TF#3 - ENVOY

    Every time I see a registration form limit the character count or the special characters, I just assume they're stored in plaintext and the developers don't know the first thing about security.

    I sincerely hope you're using something like Argon2, or ar least BCrypt.


  • TF#7 - AMBASSADOR

    There's basically no reason to limit the number of characters to anything lower than the maximum number the encryption algorithm can process, and there's absolutely no reason not to allow special characters (and every reason definitely to not only allow but require them)

    That said, my password is both quite lengthy and uses special characters, so I don't know what you mean.


  • TF#12 - PEOPLE'S HERALD

    The main reason about to let out some special characters are mostly caused in different kind of transmitted code by client.
    It is a bit like that "any key" is not any key 😉

    I think even with just a selection of allowed characters you can create a very good password.
    Sure, if you just use 6 letters, then it is not a good one.


  • TF#7 - AMBASSADOR

    @kralith said in Why does registation form promote low-security passwords?:

    The main reason about to let out some special characters are mostly caused in different kind of transmitted code by client.

    Only very badly-made code needs to remove special characters for technical reasons. This implies to me that the system is suspected to be vulnerable to data injection, in which case they have a much worse security concern to worry about then password complexity


  • TF#12 - PEOPLE'S HERALD

    @fibs There are some characters which are always troublesome when it comes to passwords and their storing and protection. To name a few: ü ö ä č ř ž ď ť ň ě ă â ê ô; and the list could go on, as for example non-latin alphabets can prove also very problematic. The thing is, many of these letters and characters are actually not one character, but multiple smashed on your displaying device into one. I.e the database could see it as an unknown symbol or as a group of other symbols, so the next time you attempt to log in with your password containing ê, you will not be able to, as according to the database it could be e^?!, so instead of <inputrandompasswordwithê> your password according to the database would be <inputrandompasswordwithe^?!> just because it could not handle to encrypt it the same way as before.


  • TF#12 - PEOPLE'S HERALD

    @meiki
    that's quite interesting! and I'm sure you never want to use those characters in plain text passwordisencrypt'ê'dso they work so it's best to not use them.


Log in to reply
 

Copyright © 2020 Dynamight Studios Srl | Fractured