Quick opinion on password security required

[webref.eu]

Hi All

 

I am currently writing a script for online reviews.  I'm allowing people to register for the site.  For their passwords I have decided to allow them alphanumeric characters only.  I don't feel individual accounts are likely to be highly targetted by hackers because no valuable personal details are being recorded there. 

 

So, do you share my view that restricting passwords to alphanumeric characters will be sufficient?  Or should I allow punctuation in passwords? 

 

Thanks all for any opinions.

[Jabop]

I don't see why password characters should ever be limited. Personally, I think that it's annoying when a site limits the types of characters that are used in passwords.

[webref.eu]

From my point of view as a relative newbie to php, it's going to be a lot easier to code if I just restrict the field to alphanumeric only, otherwise I'll have to make sure I handle all the various special characters, which I can imagine will be a pain. 

 

Rgds

[.josh]

You also incorrectly assume that people only try to hack sites to get to the information...

[ecopetition]

People try to hack websites for the hell of it too though, for a laugh, to show off to their mates and to cause disruption.

 

Go for full-board.

[.josh]

and cross site scripting, spam, etc...

[EPCtech]

Hello,

Don't restrict people to only alphanumeric characters. That's going to get your users annoyed. Just let them have all the freedom you can give them when choosing and making their passwords.

 

Best Regards,

En-Psyche Management

[webref.eu]

Would anyone else care to voice an opinion?  Personally I usually only use alphanumeric passwords anyway, so it wouldn't bother me that much ....

 

Thanks All.

[EPCtech]

Alphanumeric passwords are quite insecure comparing to passwords like "jd9n32cf42go".

[.josh]

umm...Alphanumeric is letters+numbers.  I think what he's wanting to do is exclude special chars and things like punctuation marks, operators, etc...

[ShaunO]

No reason not to let them use special characters.

It should be more effort to restrict them from using them.

[discomatt]

No, password 'phrases' are becoming more and more popular. The wider the character set available to users, the harder it is to crack the passwords...

 

Just for example....

 

Alphanumeric = 65 possible characters

Any = 95 possible characters... assuming only printable characters are allowed

 

May not seem like much, but now let's take that up to a 6 character password.

 

65^6 = 75,418,890,625

95^6 = 735,091,890,625

 

That's roughly 10x more possible combinations, and the number will increase exponentially as the password length increases. That's a BIG difference for a cracker.

[DarkWater]

Also, when you encrypt the passwords with whatever algorithm you're using (I'll assume md5 or SHA1)...it ends up with alphanumeric characters anyway in the hash so you don't need to escape anything.  Allow them whatever password they wish.

[marklarah]

If you md5 it, it provides a) better security server and handling side, b) allows all sort of password types, so better security there, and you just store it in a string, so you don't need to worry about anything there. Encode the password on sign up, and check against that.

[ikmyer]

I generally allow every character but < and >

[webref.eu]

If I allow every character, doesn't it make it easier to do an SQL injection attack? 

 

Rgds

[.josh]

If I allow every character, doesn't it make it easier to do an SQL injection attack? 

 

Rgds

 

The way SQL injection attacks work is you finish off the query string by adding a ' and then starting a new query string or adding a new command or adding a condition that will always be true like 1=1 in order to alter the query string.  SQL injection attacks pretty much rely on being able to add that quote in there, so it is virtually eliminated by simply doing mysql_real_escape_string($input) on your vars. If someone tries to input a quote it will be escaped like \' so that it will be taken literally.

[webref.eu]

OK, thanks for that. 

 

Rgds

[discomatt]

To add to this... you should never store passwords in plain text. Most ( all popular ) hashing algorithms will not generate a string with quotes.

[marklarah]

It depends if you have magic quotes enabled for Post and such. I think as of PHP 6 it is being disabled, but if you need to see and learn about injections, I just made this for you;

 

<?php
mysql_connect("localhost", "...", "...") or die(mysql_error());
mysql_select_db("testing") or die(mysql_error());

if (isset($_POST['jeff'])){

// I have magic quotes enabled. If you don't, get rid of stripslashes(). I have that there to emulate it.
$jeff = stripslashes($_POST['jeff']);

// Checking

$q = "SELECT * FROM `test` WHERE `id` = '1' AND `val` = '$jeff'";

$result = mysql_query($q);

$num = mysql_num_rows($result);

if ($num == '1'){

echo 'Correct';

}else{

echo 'Incorrect';

}

echo '<br><br><b>Query Being Executed: </b>'.$q;

}else{
?>

<form action="" method="post">
Value: <input type="text" name="jeff">
<br>
<input type="submit">
</form>

<?

}

?>

 

Your sql code

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `testing`
--

-- --------------------------------------------------------

--
-- Table structure for table `test`
--

CREATE TABLE IF NOT EXISTS `test` (
  `id` int(11) NOT NULL auto_increment,
  `val` text NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

--
-- Dumping data for table `test`
--

INSERT INTO `test` (`id`, `val`) VALUES
(1, 'chickenpie');

 

I presume you understand all that code.

 

Play around with that, and you will see what works and what doesn't. Then protect against it.

 

An example of what works is

' or '' = '