- If any part of your user interface or code truncates password plaintext input at a length of less than 255 characters, it’s a bug.
- If you can’t cope with password plaintexts that contain SPACE and TAB characters (update: or if you impose any charset restrictions) it’s a bug.
- If your passwords are not hashed, it’s a bug.
- If you’re hashing your passwords with anything other than Bcrypt, it’s a bug; bcrypt() maxes out at 72 character passwords, but that’s not your fault…
- If you allow people to use a password of less than 12 characters, it’s a bug.
- If you do not encourage people to select a unique password for your service, it’s a bug.
- If you do not encourage people to use passphrases, it’s a bug.
Reference:
http://www.computerworlduk.com/blogs/unscrewing-security/username-google--password-2bon2btitq-3570448/
http://www.computerworlduk.com/blogs/unscrewing-security/username-google--password-2bon2btitq-3570448/
沒有留言:
張貼留言