DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12473>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12473 password fields are not validated using javscript (lengths) [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |WONTFIX ------- Additional Comments From [EMAIL PROTECTED] 2002-09-12 05:31 ------- Any client validation of password fields constitutes a security hole. Even if the intent is to check that a new password (or a changed password) conforms to a minimum required length, that is valuable information to a cracker. If a cracker wants to break into your site by "guessing" an account password, or using a brute force search, any information that reduces the password space to be searched vastly simplifies the cracker's job. For example, if you set a minimum password length of 8 characters, and a cracker can determine that from JavaScript code supplied to the client, the cracker now knows that s/he doesn't have to waste time searching the space of fewer than 8 characters for a valid password. That means that s/he can now focus more time and energy on passwords that are likely to be valid, thus increasing the risk that your site will be cracked. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
