Re: Do you trim() usernames and passwords?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dotan Cohen wrote:
On Tue, Dec 28, 2010 at 21:57, Nathan Rixham <nrixham@xxxxxxxxx> wrote:
Don't trim or limit the range of input characters, but far more importantly
/don't send passwords in clear text/, indeed don't generate passwords at
all, let users enter there desired password, then they won't be copy and
pasting them ;)

ps: if unavoidable, then give some advice on "login" failure like "passwords
are case sensitive, check you don't have caps lock on and that you haven't
included any additional spaces".


I'm toying with the idea of having the passwords hashed twice: they're
already in the database hashed, and javascript hashes them on the
client before sending them over, but I'm thinking about sending an
additional salt to the client to hash the hashed passwords with salt,
and that's what is sent back. This way, each login is done with a
different hash of the password so an attacker cannot simply capture
and reuse the hashed password.

That would possibly address some man in the middle attacks, however it'd be much easier and more secure to simply have all "logged in" functionality over http+tls (https://) which will ensure encryption over the wire, and it's peer to peer thus impossible for anything to even be "in the middle".

Best,

Nathan

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux