Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 15 of 15
  1. #1
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts

    Allow Space in Password?

    My code currently requires a User to have at least 1 Special Character in his/her Password.

    Should I allow Users to use the "Space" as a valid "Special Character"?

    Could this cause any security issues?

    Could it break my code?

    (*Note: I use Prepared Statements exclusively in all scripts!)

    Thanks,


    Debbie

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Spaces are fine. You should encourage the use of password phrases which would include spaces anyway. Even the simplest phrases are in excess of 25 characters plus: My name is Fou-Lu for example is 18.

    Edit:
    Oh, and for dbms, that's no problem. Since you'll be hashing the password anyways, you'll never have a space or special character in it (assuming its in hex).
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    Spaces are fine. You should encourage the use of password phrases which would include spaces anyway. Even the simplest phrases are in excess of 25 characters plus: My name is Fou-Lu for example is 18.
    Well, "Pass-Phrases" are for v2.5 or v3.0, but I agree with what you are saying. (For now, I am doing the academic: 1 Uppercase, 1 Lowercase, 1 Number, 1 Special Character, 8-15 Characters in length.)


    Edit:
    Oh, and for dbms, that's no problem. Since you'll be hashing the password anyways, you'll never have a space or special character in it (assuming its in hex).
    Yes, I suppose so. Here is how I create my Passwords now...
    PHP Code:
        // Generate New Hash.
        
    $newHash hash_hmac('sha512'$newPass $newSaltVINEGAR); 

    Thanks,


    Debbie

  • #4
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    BTW, on a related note, I guess based on your last response, "trimming" Form data could create problems for me, right?

    Here is my standard approach for handling Form data...
    PHP Code:
        // HANDLE FORM.
        
    if ($_SERVER['REQUEST_METHOD']=='POST'){
            
    // Form was Submitted (Post).

            // Initialize Errors Array.
            
    $errors = array();

            
    // Trim all form data.
            
    $trimmed array_map('trim'$_POST);

            
    // Validate Form Data.

            // **************************
            // Check Current Password.    *
            // **************************
            
    if (empty($trimmed['currPass'])){
                
    // Current Password does Not Exist.
                
    $errors['currPass'] = 'Enter your Current Password.';

            }else{
                
    // Current Password Exists.
                
    $currPass $trimmed['currPass'];

            }
    //End of CHECK CURRENT PASSWORD 

    If a User had a Password like "I Like Ice Cream With Sprinkles " then my code would break the User's entry, right?

    What is a *reasonable* approach to this? (At this point, I need to be careful about continually "re-tooling" my code-base...)


    Debbie

  • #5
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    If a User had a Password like "I Like Ice Cream With Sprinkles " then my code would break the User's entry, right?
    obviusly.
    you can't trimm passwords. afterall "I Like Ice Cream With Sprinkles " != "I Like Ice Cream With Sprinkles"

  • #6
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by patryk View Post
    obviusly.
    you can't trimm passwords. afterall "I Like Ice Cream With Sprinkles " != "I Like Ice Cream With Sprinkles"
    It isn't that "obvious", because a lot of people I know would say, "If you are dumb enough to put a space at the end of your password, then you get what you deserve!"

    When I incorporate Pass-Phrases in v3.0, then I can better handle things like this, but for now, it seems practical to leave my code as it is, and assume that users choosing to start or end their passwords with a space will be the exception to the rule...

    Sincerely,


    Debbie

  • #7
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    that's setting a trap for users
    at least put "can't start nor end with space" sign next to input

  • #8
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by patryk View Post
    that's setting a trap for users
    at least put "can't start nor end with space" sign next to input
    Part of my resistance is the fact that I am in the final hours before v2.0 is done, and I do NOT want to break anything making changes?!

    (It is amazing how when you do something the same way for a long time, how difficult it is to comprehend doing things any other way...)


    So, based on this code, maybe you can help me figure out what I need to do to address the space issue...
    PHP Code:
        // HANDLE FORM.
        
    if ($_SERVER['REQUEST_METHOD']=='POST'){
            
    // Form was Submitted (Post).

            // Initialize Errors Array.
            
    $errors = array();

            
    // Trim all form data.
            
    $trimmed array_map('trim'$_POST);

            
    // Validate Form Data.

            // **************************
            // Check Current Password.    *
            // **************************
            
    if (empty($trimmed['currPass'])){
                
    // Current Password does Not Exist.
                
    $errors['currPass'] = 'Enter your Current Password.';

            }else{
                
    // Current Password Exists.
                
    $currPass $trimmed['currPass'];

            }
    //End of CHECK CURRENT PASSWORD 

    Would this be all I need...
    PHP Code:
        // ***********************************
        // HANDLE FORM.                     *
        // ***********************************
        
    if ($_SERVER['REQUEST_METHOD']=='POST'){
            
    // Form was Submitted (Post).

            // Initialize Errors Array.
            
    $errors = array();

            
    // Trim all form data.
            
    $trimmed array_map('trim'$_POST);


            
    // **************************
            // Validate Form Data.        *
            // **************************

            // *****************
            // Check Email.        *
            // *****************
            // HERE I AM KEEPING MY CODE THE SAME...
            
    if (empty($trimmed['email'])){
                
    // Email does Not Exist.
                
    $errors['email'] = 'Enter your E-mail address.';

            }else{
                
    // Email exists.
                
    $email $trimmed['email'];

            }
    //End of CHECK EMAIL


            // **********************
            // Check Current Password.    *
            // **********************
            // HERE I CHANGED THINGS TO ACCOUNT FOR LEADING/TRAILING SPACES...
            
    if (empty($_POST['currPass'])){
                
    // Current Password does Not Exist.
                
    $errors['currPass'] = 'Enter your Current Password.';

            }else{
                
    // Current Password Exists.
                
    $currPass $_POST['currPass'];

            }
    //End of CHECK CURRENT PASSWORD 

    How does that look?


    Debbie

  • #9
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    right after trimming you could do something like that:
    PHP Code:
    if($trimmed['password'] != $_POST['password']){
        
    //return error about spaces and go back to form

    i would suggest you this solution, but i know ur a javascript hater

  • #10
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by patryk View Post
    right after trimming you could do something like that:
    PHP Code:
    if($trimmed['password'] != $_POST['password']){
        
    //return error about spaces and go back to form

    But what about the code I posted?

    If I did it my way, then a User could have a password with a leading and/or trailing space because my Regex already allows for this. Best of both worlds, right?


    i would suggest you this solution, but i know ur a javascript hater
    And proud of it!!


    Debbie

  • #11
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    i can't see your trim() so i can't really say, but if it leaves passwords as they are then it should be ok

  • #12
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by patryk View Post
    i can't see your trim() so i can't really say, but if it leaves passwords as they are then it should be ok
    Everything you need to know is in Post #8 here...
    Allow Space in Password?


    Debbie

  • #13
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    oh sorry my bad.
    yeah if you'll use $_POST['currPass'] instead of $trimmed['currPass'], then you should be fine.

    btw $_SERVER['REQUEST_METHOD']=='POST' does not mean that post form was submitted. it only means that request was made using post method

  • #14
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by patryk View Post
    oh sorry my bad.
    yeah if you'll use $_POST['currPass'] instead of $trimmed['currPass'], then you should be fine.
    Okay, thanks for being second set of eyes.


    btw $_SERVER['REQUEST_METHOD']=='POST' does not mean that post form was submitted. it only means that request was made using post method
    So will what I have blow things up?

    What should I be using?


    Debbie

  • #15
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    Quote Originally Posted by doubledee View Post
    So will what I have blow things up?
    prolly no.
    to make POST request not submitting POST form you need to want to do it. it's not like something like that would happen by accident
    but to be on the safe side you could do if(isset($_POST['someInputName']))
    this would check if actual data was sent. this will return TRUE even if field in question is empty, so you can use whatever input you have


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •