Hi there;
Hey Daniel, we definitely don't store pw's in plain text, and never have as far as I can remember. We store a hash like you say. The pw length message might be over from the olden days or might have some other explanation, but I'm sure Peter will be along shortly to clarify
Yeah, that restriction is totally arbitrary, a minimum length was put in place to try and encourage people to have more secure passwords. The maximum - well, I don't even remember the logic for that, which is probably because there really isn't any logic to it. It's just a hangover from earlier, less-experienced days..
Passwords have always been hashed in our database and for a few years now have also been hashed and "salted". I believe some of these other high profile cases were from databases where the passwords were hashed, but not salted which still leaves you open to problems, because so many password hashes are already known. For example, you can work out everyone who has 123456 as their password, because the hash for it is always the same. Once salted with a random value, and then rehashed again, or even rehashed several times, this becomes much much harder. This is what our current practice is.
Note, it's for this reason that we can't ever send someone their password if they've forgotten it, because it's really quite impossible for even us to work it out! If you lose your password, you will need to receive an email with a special expiring link allowing you to reset it.
Suffice to say, apart from the fairly random restriction on number of characters in your password, the passwords are protected at an above-average standard in our database.
I'd say get rid of the maximum limit if it's any possible, or at least make it very high.
(BTW awesome customer service guys! I'm pretty convinced I've made the right choice for our travel blog!
0 Response to "Password lenght on user accounts"
Post a Comment