Check for spaces, consecutive/identical chars, max length #16
Comments
|
Just an information, this topic is continuation of owncloud-archive/security#34 . (03) and (04) was considered as an enhancement in here: |
|
Hello, Did you test the 02 feature? Because I have gone through the source code but didn't find any validation for that. Please take a look into that as well. Regards & Thanks, |
|
I just checked in 10.09RC1. The following passwords work: I can understand why that Uni of Georgia policy document would say not to use tab in a password - that would just be really difficult to actually input on a login page! But I am not sure why a user should not use the space character in their password? |
|
Hello @phil-davis Thanks for the information. The simple answer for this is it is a bad password policy. You are using UTF-8 and I don't think this would be a problem but the point over here is to limit the password length as well so that somebody doesn't soak up 1MB of bandwidth (and the corresponding CPU time to hash the input) every time they login. Hope you'll understand the technicality of this. Regards & Thanks, |
PVince81
changed the title
Hello Team,
You are validating the 4 things right now but missing some important policies. Here are some policy which will improve the security of your webapp.
(01) Set the maximum character length for a password as a best practice e.g. thirty characters max.
(02) No spaces.
(03) No consecutive keyboard characters.
(04) No consecutive identical characters.
Please find this article for reference: https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/passwords/password_standard/
Hope to hear back some positive news from your side.
Regards & Thanks
Mohammed Israil
The text was updated successfully, but these errors were encountered: