Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

What are acceptable web user id & password?

by tariqahsan (Beadle)
on Jun 05, 2006 at 14:41 UTC ( [id://553604]=perlquestion: print w/replies, xml ) Need Help??

tariqahsan has asked for the wisdom of the Perl Monks concerning the following question:

This node falls below the community's threshold of quality. You may see it by logging in.

Replies are listed 'Best First'.
Re: What are acceptable web user id & password?
by sgifford (Prior) on Jun 05, 2006 at 16:11 UTC
    Just another perspective: I routinely do not use Web-based systems which will not allow me to use my email address as a username, and if I care about the security at all, a complex password containing various symbols, letters, and numbers.

    If you're going to ask a user to remember something in order to use your site, you should let them put in anything that's easy for them to remember and they feel is secure, and make sure your system deals with weirdness appropriately (for example by appropriately escaping parts that may be confusing to a Web browser or a database).

    In other words, my advice is: do more work coding so your users can be lazy, instead of being lazy so your customers have to do more work remembering.

Re: What are acceptable web user id & password?
by swkronenfeld (Hermit) on Jun 05, 2006 at 14:55 UTC
    To address the Perl question first, once you determine what characters are allowable in passwords, just use an inverted character class to determine if any unacceptable characters are supplied. To invert a character class, add a caret to the front of it. For example,
    # Just add any other valid characters after the \w if($password =~ /[^\w]/) { # invalid character supplied }
    As for what characters to allow...are you asking about password strength for heightening security? I'm not aware if there's an industry standard, but I've often seen password schemes that require picking at least 3 different characters classes (where the four classes are often uppercase, lowercase, punctuation and numbers).
Re: What are acceptable web user id & password?
by dorward (Curate) on Jun 05, 2006 at 14:58 UTC

    I've not heard of any standard for it, but my first thought would be to limit usernames to [a-zA-Z0-9_-]+ since they are often displayed, and allow anything at all in passwords (with the possible exception of whitespace) so people can have secure passwords.

    You might also consider something like Data::Password::Check, although, while it looks like a good starting point, it could do with extra features (such as "password not based on a dictionary word". I don't know if better modules exist for that type of thing.

      I was told it has to be non-white space and non-XML
      special characters along with being alphanumeric
      How can achieve this pattern matching for 1 to many
      occurences of such acceptable characters?

      Thanks!

        No alphanumeric character is an XML special character or a whitespace character, so having those additional constraints makes no difference.

        Just test that it is alphanumeric; taking the hyphan and underscore out of my previous regex will give you that.

Re: What are acceptable web user id & password?
by planetscape (Chancellor) on Jun 05, 2006 at 15:43 UTC

    Some thoughts on choosing passphrases may be found here.

    Please do not keep posting the same question again and again, expecting such action to speed responses.

    HTH,

    planetscape
Re: What are acceptable web user id & password?
by cowboy (Friar) on Jun 05, 2006 at 20:45 UTC

    For passwords I would accept anything the user can type. Ideally you'll be hashing it before storing it anyway.

    Let them make it an entire sentence if they wish. You may involve certain minimum requirements, like must contain an upper case character, or must contain at least one number, must be 6+ characters in length.

    Lately I've ran into a few places I started to sign up to, and gave up. Why? The password. They wanted 6-8 characters in length (9 is too long), containing at least one upper case character, and one number. 9, 10, 12 or more characters, and I could have came up with something I can remember that contained a upper case character and a number. With exactly 6-8 characters, I couldn't come up with anything I thought both complex enough, yet easy enough to remember that I wouldn't have to resort to writing it on a sticky note and attaching it to my monitor.

    Update: clarified I was commenting about passwords.

Re: What are acceptable web user id & password?
by ambrus (Abbot) on Jun 05, 2006 at 17:55 UTC

    For passwords, I think you should allow anything the user wants to use, because no-one but the user will see or have to type it. Username is a bit more difficult.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://553604]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2024-03-29 07:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found