Right, I agree Barney. I always hash, but I just wanted to make a point that if your system (DB, programming language, OS, etc) support it, we shouldn't feel the need to restrict stuff just because that's always how we thought of passwords. I agree with the username insensitivity and limitations as well. However, most of my systems, I build it so that the username can be an email address or username so that the customer may choose to have the usernames be email addresses or they may want a separate username.
John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -----Original Message----- From: Barney Boisvert [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 11:16 AM To: CF-Talk Subject: Re: Password Rules - Was: RE: cftransaction... it wasnt safe? For usernames, I usually only allow alphanumerics, constrain the length, and treat them case insensitively. No spaces, no punctuation, no 200-char strings. It just makes things easier. Passwords, however, are an open game. Anything you can cram in the form fields, you can use. And your database's support should be irrelevant, because you shouldn't be storing plaintext passwords anyway. You should always hash them, and for all but the simplest apps, should salt the hash. cheers, barneyb On Tue, 8 Mar 2005 10:50:41 -0500, Burns, John D <[EMAIL PROTECTED]> wrote: > I've thought this logic through many times and my personal opinion is > that it comes down to support. If my DB and programming language can > handle the weird characters, why make them "illegal"? Back in the > days when the systems couldn't handle certain characters, I could > understand the restraints, but now, if you're using a good DB and > language, it seems the only limitations you really need to put on > usernames and passwords is length (based on the field in the DB and > any security rules you'd like to enforce (must contain a letter, number and symbol, etc.). > Now, my thought is that's all that you need to do IN THEORY. If > someone can type it in, let it be. However, I do realize that people > may accidentally type in incorrect information when they register > their username or password and then it becomes a support issue. > However, if you do duplicate fields where people have to retype > information, that will tend to decrease the number of mistakes that > happen. This is just my opinion and I figured I'd share and see if anyone else has comments. > > John Burns > Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | > Web Developer > > -----Original Message----- > From: James Holmes [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 08, 2005 10:28 AM > To: CF-Talk > Subject: RE: cftransaction... it wasnt safe? > > While the same OS allows spaces in passwords... > > -----Original Message----- > From: Jared Rypka-Hauer - CMG, LLC [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 8 March 2005 9:21 > To: CF-Talk > Subject: Re: cftransaction... it wasnt safe? > > [snip] > > There are rules for passwords, and "no spaces" be one of mine. I > figure if Microsoft can tell me that "Backup 2/15/2005.zip" is an > illegal file name, then I can tell someone that "my dog has$$fleas " > is an illegal password. > > [snip] > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197842 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
