stackoom
  简体   繁体   中英

How can I validate a password via PHP?

 原文  2016-05-31 20:52:41       php/ validation/ security

Question

I know that to store a password you have to hash it. I use password_hash and password_verify to do it.

But I am surprised that some people say that you do not need to validate a password before hash it, because you are going to hash it anyway.

I think that at least it would be good practice to validate that the user enters a password with length more than an amount of characters or to make the user to input a special character ( * , " , ' , etc). At least to make the password strong.

So here I have some questions:

  • Is it considered a good practice not validate anything about the password and only hash it?
  • Has an additional security to make a validation before hash the password?
  • If so, what should be considered in that validation?

Note: I want to know all of these questions from security point of view.

Thanks in advance!

1 answers

solution1
 0  2016-05-31 21:23:57

Password strength requirements are context sensitive. You don't talk about your context.

Normally I would set a minimun length, and compute some sort of complexity index, so as to prevent people from entering 'aaaaaaaa' or '12345678'.

But password strength requirements are annoying, especially when you dictate many rules.

I often try to implement another strategy: I choose the password for my visitors. This is not a new idea; Think about the personal identification number for a credit card. This has many benefits:

  • My visitors don't have to choose a password, something they often find awkward.
  • I definitely control the complexity of the passwords.
  • I cannot possibly know the often used password of my visitors (and hack their accounts on other sites).

There's also a downside: The visitor has to 'remember' the password I chose. Keep it simple. A four digit PIN already has 10000 variants. To prevent abuse I limit the number of tries.

For sites that needs to be very secure you could increase the complexity of the password and reissue passwords regularly. Do not store the password in your database, only store a salted hash. Don't email the password but show it in a SSL secured HTML page. If the security requirements aren't that high you can ignore some of these rules.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to validate password with jquery and php? How can I validate an unsigned number in PHP? How can i validate integer form in php? How can I decrypt a password hash in PHP? How to validate email id and password & confirm password in php PHP: Validate Current Password validate email with password in php How do I authenticate and validate a password? How can i use validate my signup form in php How I can count char in a string and validate using PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM