[PHP] Do you trim() usernames and passwords?
I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. The obvious fix was to trim() the values that I receive, but I worry how that would affect users who use a space at the beginning or end of their password. Of course, if I trim() also when the user is setting his password then he will never know that his password is really 1 digit shorter, but do I really want to do that? Thoughts? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Do you trim() usernames and passwords?
On Tue, 2010-12-28 at 14:49 +0200, Dotan Cohen wrote: > I seem to have an issue with users who copy-paste their usernames and > passwords coping and pasting leading and trailing space characters. > The obvious fix was to trim() the values that I receive, but I worry > how that would affect users who use a space at the beginning or end of > their password. Of course, if I trim() also when the user is setting > his password then he will never know that his password is really 1 > digit shorter, but do I really want to do that? Thoughts? Thanks! > > -- > Dotan Cohen > > http://gibberish.co.il > http://what-is-what.com > The copy-paste thing I've noticed only really seems to happen on Windows, particularly with Outlook. The thing I always tell people if I'm emailing people a password is that they should type it out rather than copy paste to avoid these issues. The whitespace usually seems to consist of newlines and carriage returns, so you could try stripping those two characters out specifically rather than a full trim(). As you've said, a user might want a space in their password, and should be allowed to use them. Maybe add a footnote to the password field reminding people about accidental copied characters, and perhaps a Javascript counter that displays the number of characters used in the password field (as a lot of people know their password length but find counting the password character in a field difficult because the characters are all the same and the eyes can't follow easily) Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Re: Do you trim() usernames and passwords?
On 12/28/2010 7:49 AM, Dotan Cohen wrote: I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. The obvious fix was to trim() the values that I receive, but I worry how that would affect users who use a space at the beginning or end of their password. Of course, if I trim() also when the user is setting his password then he will never know that his password is really 1 digit shorter, but do I really want to do that? Thoughts? Thanks! Can't you simply specify the allowed characters that can be used for PWs and usernames? I always do, e.g., 6-8, case sensitive, alphanumerics, and the following characters: "@, #, $, %, &, *, -". Then, I trim() and check the submitted PW for any exceptions to the rules. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 15:12, Ashley Sheridan wrote: > The copy-paste thing I've noticed only really seems to happen on Windows, > particularly with Outlook. The thing I always tell people if > I'm emailing people a password is that they should type it out rather than > copy paste to avoid these issues. The whitespace usually > seems to consist of newlines and carriage returns, so you could try stripping > those two characters out specifically rather than a full > trim(). > I do trim newlines, carriage returns, null characters, vertical and regular tabs. However, the space is the problem. I don't think that telling them to type it out is a good solution as it is "fixing the user" which, although might be where the problem lies, is never the solution. > As you've said, a user might want a space in their password, and should be > allowed to use them. Maybe add a footnote to the > password field reminding people about accidental copied characters, and > perhaps a Javascript counter that displays the number of > characters used in the password field (as a lot of people know their password > length but find counting the password character in a > field difficult because the characters are all the same and the eyes can't > follow easily) > I will add such a footnote in the event of a failed password attempt (right there with the capslock warning) but I do not think that a counter is a good method. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 15:27, Al wrote: > Can't you simply specify the allowed characters that can be used for PWs and > usernames? > No, I hate when websites do that. It leads to less secure passwords, not more secure, and it is passing the burden of fixing the issue onto the user. > I always do, e.g., 6-8, case sensitive, alphanumerics, and the following > characters: "@, #, $, %, &, *, -". > > Then, I trim() and check the submitted PW for any exceptions to the rules. > I regularly use other characters in my passwords. Of the top of my head, I have passwords with the tilda, underscore, and exclamation point. Sites that don't let me use them don't get my business. Seriously. I once even switched banks twice in one week: once because the old bank's website did not work with Firefox in Fedora, and the second time because the new bank's website would not let me use an exclamation point in my password. I might be an extreme example, but it is behaviour that I do not agree with. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 02:49:59PM +0200, Dotan Cohen wrote: > I seem to have an issue with users who copy-paste their usernames and > passwords coping and pasting leading and trailing space characters. > The obvious fix was to trim() the values that I receive, but I worry > how that would affect users who use a space at the beginning or end of > their password. Of course, if I trim() also when the user is setting > his password then he will never know that his password is really 1 > digit shorter, but do I really want to do that? Thoughts? Thanks! If users want to embed spaces in their passwords, well and good. But at the beginning or end? No. Trim them. As mentioned elsewhere, I suspect this is mostly because of copying and pasting. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 8:52 AM, Dotan Cohen wrote: > On Tue, Dec 28, 2010 at 15:27, Al wrote: >> Can't you simply specify the allowed characters that can be used for PWs and >> usernames? >> > > No, I hate when websites do that. It leads to less secure passwords, > not more secure, and it is passing the burden of fixing the issue onto > the user. > > >> I always do, e.g., 6-8, case sensitive, alphanumerics, and the following >> characters: "@, #, $, %, &, *, -". >> >> Then, I trim() and check the submitted PW for any exceptions to the rules. >> > > > I regularly use other characters in my passwords. Of the top of my > head, I have passwords with the tilda, underscore, and exclamation > point. Sites that don't let me use them don't get my business. > Seriously. I once even switched banks twice in one week: once because > the old bank's website did not work with Firefox in Fedora, and the > second time because the new bank's website would not let me use an > exclamation point in my password. I might be an extreme example, but > it is behaviour that I do not agree with. > I completely agree with your method. I too, have switched banks and other online services because of developer / programmer laziness.
Re: [PHP] Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 17:13, Paul M Foster wrote: > If users want to embed spaces in their passwords, well and good. But at > the beginning or end? No. Trim them. As mentioned elsewhere, I suspect > this is mostly because of copying and pasting. > A leading space in a password is a terrific defence against accidentally entering the password at the CLI and having it saved to history. I've done that, not noticing that I was getting an SSH error instead of a password prompt, and had the password in the history of a machine that I couldn't erase the history of. Another defensive password method is to end the password with "&lang=en" to foil poorly-written web apps who GET the submission form. I don't want my password stored in a webserver logfile somewhere as a querystring, so disguising part of the password as a GET variable helps. A password that takes advantage of both these features might be " John123Lennon&lang=en" which is easy to type, easy to remember, very long and contains a wide variety of characters. Trimming spaces would _not_ be what a user of this password would want. And yes, I'm the OCD geek with such passwords. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Do you trim() usernames and passwords?
... And yes, I'm the OCD geek with such passwords. Dotan, that is great! You made a dry topic hilarious! (on top of the practical points you make.) Thanks! Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Static content at runtime
Hi. I am currently looking into improving a system that (like many systems) generate static content at runtime. I have always been against generating static content at runtime and believe static content should be generated by a cronjob or manually at some idle time (if possible). This will provide real static content (no PHP at all) that doesn't need to be checked every time a request is made hence a huge performance benefit is achieved. A nice article on the issue: http://zoompf.com/blog/2009/12/the-challenge-of-dynamically-generating-static-content Quote: "The moral of the story is never make the user pay for your laziness. Do not use the application tier of a website to dynamically generate static content at runtime. Instead do it at publishing time or even do it in a daily or hourly cron job. This approach allows you all the advantages of using application logic without drastically reducing the very web performance you were trying to improve in the first place!" Sometimes however many pages are linked together and when working with a system with hundreds or thousands of pages re-creating a lot of content each night perhaps isn't always the best way to do things. Especially if the content needs to be updated right away and can't wait for the nightly cronjob to do its business. To illustrate with a simple example.. A blog system with a menu that displays how many posts exists in each category. - Home - About - Tech (412) - News (2030) etc. When a new page is added to the News category every single page in the system needs to get updated in order for the menu to display the new number (2031). Some use a compromise to include only changing items (like the menu in the above example), but that would mean using PHP and not serving pure static content. Others use "ugly" solutions like frames. Care to share your experiences and recommendations on the issue? Kind regards --- Kim N. Lesmer Programmer/Unix systemadministrator Web: www.bitflop.com E-mail : k...@bitflop.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Static content at runtime
Care to share your experiences and recommendations on the issue? It seems to me that you ask a great question, and ask it well. I have worked on both kinds of systems. But I am not expert enough to say anything definitively. Just one thought I had while thinking about it: How about: publish static content.. and for the changing menu number, use Ajax instead of PHP include(s). Would that be any better? ...or maybe it is effectively the same "dynamic" burden in the end? Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Static content at runtime
On Tue, 2010-12-28 at 13:25 -0500, Govinda wrote: > > > > Care to share your experiences and recommendations on the issue? > > > > > It seems to me that you ask a great question, and ask it well. > > I have worked on both kinds of systems. But I am not expert enough to > say anything definitively. Just one thought I had while thinking > about it: > > How about: publish static content.. and for the changing menu number, > use Ajax instead of PHP include(s). Would that be any better? ...or > maybe it is effectively the same "dynamic" burden in the end? > > > Govinda > > > > > > > I'd tend towards server-side includes handled by Apache instead of Ajax if you're that worried about dynamic content cost. It's faster than have PHP produce the entire page each time as it's only using Apache instead of Apache and PHP. Aside from that Ajax shouldn't be used for this sort of thing. Not everyone has Javascript enabled, a lot of search engines won't process the content pulled in via Ajax (Google does handle some Javascript now to a limited extent) and it takes extra time for a clients browser to load the Javascript that is being used, and then it has to make the request and wait for the response, all of which takes time. It might seem fine in local testing, but in the real world on a variety of connections it doesn't work the way you want. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Static content at runtime
The other option is to generate the page dynamically and cache it (we use Varnish) for the next users. This way you pay the cost to regenerate pages only for those someone views--and only once. This pays off well when you have high traffic. David
[PHP] Re: Do you trim() usernames and passwords?
Dotan Cohen wrote: I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. Don't trim or limit the range of input characters, but far more importantly /don't send passwords in clear text/, indeed don't generate passwords at all, let users enter there desired password, then they won't be copy and pasting them ;) ps: if unavoidable, then give some advice on "login" failure like "passwords are case sensitive, check you don't have caps lock on and that you haven't included any additional spaces". Best, Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
Joshua Kehn wrote: Trim usernames but not passwords. agree. nice catch, I was thinking about passwords specifically and forgot usernames was in the topic too! On Dec 28, 2010, at 2:57 PM, Nathan Rixham wrote: Dotan Cohen wrote: I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. Don't trim or limit the range of input characters, but far more importantly /don't send passwords in clear text/, indeed don't generate passwords at all, let users enter there desired password, then they won't be copy and pasting them ;) ps: if unavoidable, then give some advice on "login" failure like "passwords are case sensitive, check you don't have caps lock on and that you haven't included any additional spaces". Best, Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Static content at runtime
On 2010-12-28, at 2:19 PM, David Harkness wrote: > The other option is to generate the page dynamically and cache it (we use > Varnish) for the next users. This way you pay the cost to regenerate pages > only for those someone views--and only once. This pays off well when you > have high traffic. > > David Yep. Been there, done that! Got massive increases out of the system by using that process. Bastien Koert Sent from my iPhone -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
Specifically: >> Dotan Cohen wrote: >>> I seem to have an issue with users who copy-paste their usernames and >>> passwords coping and pasting leading and trailing space characters. Users should not be copy-pasting passwords or usernames. Do not compromise a system to cater to bad [stupid, ignorant, you pick] users. If this is an issue then educate the users. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com On Dec 28, 2010, at 3:07 PM, Nathan Rixham wrote: > Joshua Kehn wrote: >> Trim usernames but not passwords. > > agree. nice catch, I was thinking about passwords specifically and forgot > usernames was in the topic too! > > >> On Dec 28, 2010, at 2:57 PM, Nathan Rixham wrote: >>> Dotan Cohen wrote: I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. >>> Don't trim or limit the range of input characters, but far more importantly >>> /don't send passwords in clear text/, indeed don't generate passwords at >>> all, let users enter there desired password, then they won't be copy and >>> pasting them ;) >>> >>> ps: if unavoidable, then give some advice on "login" failure like >>> "passwords are case sensitive, check you don't have caps lock on and that >>> you haven't included any additional spaces". >>> >>> Best, >>> >>> Nathan >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >
[PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 21:57, Nathan Rixham wrote: > Don't trim or limit the range of input characters, but far more importantly > /don't send passwords in clear text/, indeed don't generate passwords at > all, let users enter there desired password, then they won't be copy and > pasting them ;) > > ps: if unavoidable, then give some advice on "login" failure like "passwords > are case sensitive, check you don't have caps lock on and that you haven't > included any additional spaces". > I'm toying with the idea of having the passwords hashed twice: they're already in the database hashed, and javascript hashes them on the client before sending them over, but I'm thinking about sending an additional salt to the client to hash the hashed passwords with salt, and that's what is sent back. This way, each login is done with a different hash of the password so an attacker cannot simply capture and reuse the hashed password. But before all that goes on, I have to decide what to do about leading and trailing spaces. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:02, Joshua Kehn wrote:
> Trim usernames but not passwords.
> Some people put spaces at the beginning and end of their passwords. Double
> confirm and don't mess with the input otherwise they tend to get confused.
>
How about:
if ($trimmedUsername != $username){
trim($password);
}
I suppose that it is reasonable to assume (ha!) that if one was
copy-pasted with spaces, so would the other. Naive, I know, too bad I
don't dare start logging raw data to determine how true this might or
might not be.
Maybe I will start anonymising the data on the client, testing for
this, then logging it to a separate database with no correlation to
the users. Interesting it will be, at least.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
Trim usernames but not passwords. Some people put spaces at the beginning and end of their passwords. Double confirm and don't mess with the input otherwise they tend to get confused. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com On Dec 28, 2010, at 2:57 PM, Nathan Rixham wrote: > Dotan Cohen wrote: >> I seem to have an issue with users who copy-paste their usernames and >> passwords coping and pasting leading and trailing space characters. > > Don't trim or limit the range of input characters, but far more importantly > /don't send passwords in clear text/, indeed don't generate passwords at all, > let users enter there desired password, then they won't be copy and pasting > them ;) > > ps: if unavoidable, then give some advice on "login" failure like "passwords > are case sensitive, check you don't have caps lock on and that you haven't > included any additional spaces". > > Best, > > Nathan > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
Re: [PHP] Re: Do you trim() usernames and passwords?
On 28 December 2010 21:18, Dotan Cohen wrote: > On Tue, Dec 28, 2010 at 21:57, Nathan Rixham wrote: >> Don't trim or limit the range of input characters, but far more importantly >> /don't send passwords in clear text/, indeed don't generate passwords at >> all, let users enter there desired password, then they won't be copy and >> pasting them ;) >> >> ps: if unavoidable, then give some advice on "login" failure like "passwords >> are case sensitive, check you don't have caps lock on and that you haven't >> included any additional spaces". >> > > I'm toying with the idea of having the passwords hashed twice: they're > already in the database hashed, and javascript hashes them on the > client before sending them over, but I'm thinking about sending an > additional salt to the client to hash the hashed passwords with salt, > and that's what is sent back. This way, each login is done with a > different hash of the password so an attacker cannot simply capture > and reuse the hashed password. Sounds like https would be MUCH simpler and likely as safe or safer. I wouldn't waste my time on trying to come up with very clever schemes when tried and true technologies are out there. > But before all that goes on, I have to decide what to do about leading > and trailing spaces. As has been noted a couple of times: trim usernames. Never trim passwords. Regards Peter -- WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Do you trim() usernames and passwords?
Dotan Cohen wrote: On Tue, Dec 28, 2010 at 21:57, Nathan Rixham wrote: Don't trim or limit the range of input characters, but far more importantly /don't send passwords in clear text/, indeed don't generate passwords at all, let users enter there desired password, then they won't be copy and pasting them ;) ps: if unavoidable, then give some advice on "login" failure like "passwords are case sensitive, check you don't have caps lock on and that you haven't included any additional spaces". I'm toying with the idea of having the passwords hashed twice: they're already in the database hashed, and javascript hashes them on the client before sending them over, but I'm thinking about sending an additional salt to the client to hash the hashed passwords with salt, and that's what is sent back. This way, each login is done with a different hash of the password so an attacker cannot simply capture and reuse the hashed password. That would possibly address some man in the middle attacks, however it'd be much easier and more secure to simply have all "logged in" functionality over http+tls (https://) which will ensure encryption over the wire, and it's peer to peer thus impossible for anything to even be "in the middle". Best, Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:11, Joshua Kehn wrote: > Users should not be copy-pasting passwords or usernames. Do not compromise a > system to cater to bad [stupid, ignorant, you pick] users. If this is an > issue then educate the users. > Educate the users?!? Is that like making water flow uphill, or reversing aging? I can do a lot of things, but don't even ask me to bring back the dead! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote: > I'm toying with the idea of having the passwords hashed twice: they're > already in the database hashed, and javascript hashes them on the > client before sending them over, but I'm thinking about sending an > additional salt to the client to hash the hashed passwords with salt, > and that's what is sent back. This way, each login is done with a > different hash of the password so an attacker cannot simply capture > and reuse the hashed password. > > But before all that goes on, I have to decide what to do about leading > and trailing spaces. Toy with it and discard it. Client side hashing / salting is not a good idea. A much better alternative is to use SSL. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:23, Peter Lind wrote: > Sounds like https would be MUCH simpler and likely as safe or safer. I > wouldn't waste my time on trying to come up with very clever schemes > when tried and true technologies are out there. > You are right, I know. >> But before all that goes on, I have to decide what to do about leading >> and trailing spaces. > > As has been noted a couple of times: trim usernames. Never trim passwords. > I think that is right. I needed that push. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote: > Specifically: > >>> Dotan Cohen wrote: I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. > > Users should not be copy-pasting passwords or usernames. Do not compromise a > system to cater to bad [stupid, ignorant, you pick] users. If this is an > issue then educate the users. > If you work for a company that admins over a hundred websites, you may be inclined to copy-paste a few passwords. I don't know about you, but when we use passwords that are over 16 characters long and I don't want to get an incorrect pass, because it was a grave character versus a single apostrophe, or a capital i versus a lowercase L or a zero versus an O, etc.. There is no way I am retyping passwords for every-time I need to log in, or FTP into a site. We use apps to store all our passes, so yeah I copy and paste. But on the same note I am conscious of copying a space at the end of the password / username. Sorry, you are not going to (re)educate the public on what you think is password best practices. But I do however, think that it is the users problem, not the developers. Learn how to copy-paste. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 3:23 PM, Dotan Cohen wrote:
> On Tue, Dec 28, 2010 at 22:02, Joshua Kehn wrote:
>> Trim usernames but not passwords.
>> Some people put spaces at the beginning and end of their passwords. Double
>> confirm and don't mess with the input otherwise they tend to get confused.
>>
>
> How about:
>
> if ($trimmedUsername != $username){
>trim($password);
> }
>
> I suppose that it is reasonable to assume (ha!) that if one was
> copy-pasted with spaces, so would the other. Naive, I know, too bad I
> don't dare start logging raw data to determine how true this might or
> might not be.
Educate the users, don't compromise the system. Either go full on and trim
everything (I don't recommend this) or trim nothing. Be consistent in which one
you pick.
Regards,
-Josh
Joshua Kehn | josh.k...@gmail.com
http://joshuakehn.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
Joshua Kehn wrote: On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote: I'm toying with the idea of having the passwords hashed twice: they're already in the database hashed, and javascript hashes them on the client before sending them over, but I'm thinking about sending an additional salt to the client to hash the hashed passwords with salt, and that's what is sent back. This way, each login is done with a different hash of the password so an attacker cannot simply capture and reuse the hashed password. But before all that goes on, I have to decide what to do about leading and trailing spaces. Toy with it and discard it. Client side hashing / salting is not a good idea. A much better alternative is to use SSL. indeed, and on reflection, if you're putting this much effort in to it, and security is a worry, then forget username and passwords, and issue each user with a client side RSA v3 certificate and identify them via the public key of the cert. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:26, Joshua Kehn wrote:
> Educate the users, don't compromise the system. Either go full on and trim
> everything (I don't recommend this) or trim
> nothing. Be consistent in which one you pick.
>
Then how about:
if ($trimmedPassword==$realPassword && $enteredPassword!=$realPassword){
print "Warmer!";
}
I'm kidding. I'll not trim. But if $trimmedUsername !=
$enteredUsername I'll mention that fact to the user and remind him to
be careful to copy exactly what he means to copy. Username only, not
password.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 3:29 PM, Nathan Rixham wrote: > Joshua Kehn wrote: >> On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote: >>> I'm toying with the idea of having the passwords hashed twice: they're >>> already in the database hashed, and javascript hashes them on the >>> client before sending them over, but I'm thinking about sending an >>> additional salt to the client to hash the hashed passwords with salt, >>> and that's what is sent back. This way, each login is done with a >>> different hash of the password so an attacker cannot simply capture >>> and reuse the hashed password. >>> >>> But before all that goes on, I have to decide what to do about leading >>> and trailing spaces. >> Toy with it and discard it. Client side hashing / salting is not a good >> idea. A much better alternative is to use SSL. > > indeed, and on reflection, if you're putting this much effort in to it, and > security is a worry, then forget username and passwords, and issue each user > with a client side RSA v3 certificate and identify them via the public key of > the cert. I just realize that this would also completely solve your trim() problem! Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 3:26 PM, Nicholas Kell wrote: > > If you work for a company that admins over a hundred websites, you may be > inclined to copy-paste a few passwords. > > I don't know about you, but when we use passwords that are over 16 characters > long and I don't want to get an incorrect pass, because it was a grave > character versus a single apostrophe, or a capital i versus a lowercase L or > a zero versus an O, etc.. There is no way I am retyping passwords for > every-time I need to log in, or FTP into a site. > > We use apps to store all our passes, so yeah I copy and paste. But on the > same note I am conscious of copying a space at the end of the password / > username. > > Sorry, you are not going to (re)educate the public on what you think is > password best practices. But I do however, think that it is the users > problem, not the developers. Learn how to copy-paste. You have a good point. Both with (1) you won't stop it, and (1) learn how to copy-paste. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:30, Joshua Kehn wrote: >> indeed, and on reflection, if you're putting this much effort in to it, and >> security is a worry, then forget username and passwords, and issue each user >> with a client side RSA v3 certificate and identify them via the public key >> of the cert. > > I just realize that this would also completely solve your trim() problem! > "Hello, Dotan? Hi, we haven't spoken in a full week now that we don't have the trim problem. But I reinstalled Windows and wiped the drive, now I can't log in. Can you help me?" -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 3:32 PM, Dotan Cohen wrote: > On Tue, Dec 28, 2010 at 22:30, Joshua Kehn wrote: >>> indeed, and on reflection, if you're putting this much effort in to it, and >>> security is a worry, then forget username and passwords, and issue each user >>> with a client side RSA v3 certificate and identify them via the public key >>> of the cert. >> >> I just realize that this would also completely solve your trim() problem! >> > > "Hello, Dotan? Hi, we haven't spoken in a full week now that we don't > have the trim problem. But I reinstalled Windows and wiped the drive, > now I can't log in. Can you help me?" > > -- > Dotan Cohen Hey, progress is progress! Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
Dotan Cohen wrote: On Tue, Dec 28, 2010 at 22:30, Joshua Kehn wrote: indeed, and on reflection, if you're putting this much effort in to it, and security is a worry, then forget username and passwords, and issue each user with a client side RSA v3 certificate and identify them via the public key of the cert. I just realize that this would also completely solve your trim() problem! "Hello, Dotan? Hi, we haven't spoken in a full week now that we don't have the trim problem. But I reinstalled Windows and wiped the drive, now I can't log in. Can you help me?" that's what pkcs12 was invented for, just issue another certificate / key pair. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 3:24 PM, Dotan Cohen wrote: > On Tue, Dec 28, 2010 at 22:11, Joshua Kehn wrote: >> Users should not be copy-pasting passwords or usernames. Do not compromise a >> system to cater to bad [stupid, ignorant, you pick] users. If this is an >> issue then educate the users. >> > > Educate the users?!? Is that like making water flow uphill, or > reversing aging? I can do a lot of things, but don't even ask me to > bring back the dead! > > -- > Dotan Cohen We're PHP programmers, we do the impossible all the time. Without automatic migrations, managed models, succinct ORM's. Other developers look at us in shock as we memorize the $haystack and $needle argument orders for explode and str* functions. Raising the dead would be easy in comparison. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:52, Joshua Kehn wrote: > We're PHP programmers, we do the impossible all the time. Without automatic > migrations, managed models, succinct > ORM's. Other developers look at us in shock as we memorize the $haystack and > $needle argument orders for explode > and str* functions. Raising the dead would be easy in comparison. > Oh, how about verbNoun() vs nounVerb() vs mysql_adjective_verb_noun()?!? I'm not a PHP programmer by trade, more of a side thing while I maintain some servers, but I know to appreciate those who do the impossible! While we're at it, how about adding just one little feature... -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:43, Nathan Rixham wrote: > that's what pkcs12 was invented for, just issue another certificate / key > pair. > I could probably automate and script it, I would just give the users a name/password combo to their own control panel... -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 15:43, Nathan Rixham wrote: > > that's what pkcs12 was invented for, just issue another certificate / key > pair. This thread has really just gone on far too long without the only correct answer: always use the same username/password for everything, and always make them as simple as possible so that you can remember them. For example, I always use the password 'brown1' for everything --- all of my servers root passwords, my bank accounts and credit cards, email addresses, nuclear arsenal, electronic safe containing all of my ninja swords up in my toddler daughter's room, customer cPanel accounts, social networking passwords, medical records, utilities payment sites, credit history, customer's credit cards, the antidote, the original KFC secret recipe, the key to your heart, the meaning of life, the true name of ***, the better mousetrap, the cure for the common cold, the last of the Mohicans, the look on your face, the way we were, the DeLorean, the secret of nirvana, and all of my exabytes of pr0n collections. -- Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 23:02, Daniel Brown wrote: > This thread has really just gone on far too long without the only > correct answer: always use the same username/password for everything, > and always make them as simple as possible so that you can remember > them. For example, I always use the password 'brown1' for everything > --- all of my servers root passwords, my bank accounts and credit > cards, email addresses, nuclear arsenal, electronic safe containing > all of my ninja swords up in my toddler daughter's room, customer > cPanel accounts, social networking passwords, medical records, > utilities payment sites, credit history, customer's credit cards, the > antidote, the original KFC secret recipe, the key to your heart, the > meaning of life, the true name of ***, the better mousetrap, the cure > for the common cold, the last of the Mohicans, the look on your face, > the way we were, the DeLorean, the secret of nirvana, and all of my > exabytes of pr0n collections. > Did you know that when you type 'brown1' we see it as **? Your system does that automatically. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 16:05, Dotan Cohen wrote: > > Did you know that when you type 'brown1' we see it as **? Your > system does that automatically. That's how I see it, too. It took me fourteen years to realize that my password wasn't just six asterisks (though, in my hand-made, high-security login scripts, the same will work, in case I forget my password). -- Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On 28 December 2010 22:06, Daniel Brown wrote: > On Tue, Dec 28, 2010 at 16:05, Dotan Cohen wrote: >> >> Did you know that when you type 'brown1' we see it as **? Your >> system does that automatically. > > That's how I see it, too. It took me fourteen years to realize > that my password wasn't just six asterisks (though, in my hand-made, > high-security login scripts, the same will work, in case I forget my > password). > Bla bla bla not Friday yet bla bla bla cut down on the noise on the list bla bla -- WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 16:10, Peter Lind wrote: > > Bla bla bla not Friday yet bla bla bla cut down on the noise on the list bla > bla I tend to think that you fail to see the actual meaning behind the messages, Peter, and instead just like to remind me of my own words. Don't worry: I remember them, thanks. -- Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: > Specifically: > > >> Dotan Cohen wrote: > >>> I seem to have an issue with users who copy-paste their usernames and > >>> passwords coping and pasting leading and trailing space characters. > > Users should not be copy-pasting passwords or usernames. Do not compromise a > system to cater to bad [stupid, ignorant, you pick] users. If this is an > issue then educate the users. > Wrong. I use a program called pwgen to generate passwords for me, which I cannot remember. I use another program I built to store them in an encrypted file. When I have to supply a password which I've forgotten (as usual), I fire up my password "vault", find the password, and paste it wherever it's needed. Users would be wise to follow a scheme like this, rather than using their dog's name or somesuch as their passwords. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 3:28 PM, Paul M Foster wrote: > Users would be wise to follow a scheme like > this, rather than using their dog's name or somesuch as their passwords. Aww man, I've been using "somesuch" as the password for all my accounts and now you've ruined it! Luckily I use your dog's name for my bank passwords which is probably still safe. To address the OP, I would agree with skipping trim on both the user name and password. If it's a copy-paste error, they will try again. If you want to get fancy, warn when the password starts with or ends with spaces if it comes back incorrect, but I think that's probably going to be so rare as not to be worth the extra effort. David
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: > >> Specifically: >> Dotan Cohen wrote: > I seem to have an issue with users who copy-paste their usernames and > passwords coping and pasting leading and trailing space characters. >> >> Users should not be copy-pasting passwords or usernames. Do not compromise a >> system to cater to bad [stupid, ignorant, you pick] users. If this is an >> issue then educate the users. >> > > Wrong. I use a program called pwgen to generate passwords for me, which > I cannot remember. I use another program I built to store them in an > encrypted file. When I have to supply a password which I've forgotten > (as usual), I fire up my password "vault", find the password, and paste > it wherever it's needed. Users would be wise to follow a scheme like > this, rather than using their dog's name or somesuch as their passwords. > > Paul > > -- > Paul M. Foster > http://noferblatz.com > What is "wrong?" That users should not be copy-pasting passwords or don't compromise the system? I agree that users should not use weak passwords, but not everyone goes everywhere with a vault. I am more then capable of memorizing 20 or so 16-32 character full set passwords. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote: > On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: > > > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: > > > >> Specifically: > >> > Dotan Cohen wrote: > > I seem to have an issue with users who copy-paste their usernames and > > passwords coping and pasting leading and trailing space characters. > >> > >> Users should not be copy-pasting passwords or usernames. Do not compromise > >> a system to cater to bad [stupid, ignorant, you pick] users. If this is an > >> issue then educate the users. > >> > > > > Wrong. I use a program called pwgen to generate passwords for me, which > > I cannot remember. I use another program I built to store them in an > > encrypted file. When I have to supply a password which I've forgotten > > (as usual), I fire up my password "vault", find the password, and paste > > it wherever it's needed. Users would be wise to follow a scheme like > > this, rather than using their dog's name or somesuch as their passwords. > > > > Paul > > > > -- > > Paul M. Foster > > http://noferblatz.com > > > > What is "wrong?" That users should not be copy-pasting passwords or don't > compromise the system? > > I agree that users should not use weak passwords, but not everyone goes > everywhere with a vault. I am more then capable of memorizing 20 or so 16-32 > character full set passwords. > And so you assume everyone can do that? I can remember maybe 5 of the passwords I regularly need. (I rarely repeat passwords for different sites.) In addition, some passwords have been *assigned* to me and cannot readily be changed (and are usually difficult to remember). Many of the rest I so seldom use that it would be silly to try to remember them. Particularly when I do have a password-locked file I can use to record them for me. Under the circumstances I described, I have yet to hear in what way copying and pasting passwords compromises security of anything by itself. Please enlighten me. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Dec 28, 2010, at 11:51 PM, Paul M Foster wrote: > On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote: > >> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: >> >>> On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: >>> Specifically: >> Dotan Cohen wrote: >>> I seem to have an issue with users who copy-paste their usernames and >>> passwords coping and pasting leading and trailing space characters. Users should not be copy-pasting passwords or usernames. Do not compromise a system to cater to bad [stupid, ignorant, you pick] users. If this is an issue then educate the users. >>> >>> Wrong. I use a program called pwgen to generate passwords for me, which >>> I cannot remember. I use another program I built to store them in an >>> encrypted file. When I have to supply a password which I've forgotten >>> (as usual), I fire up my password "vault", find the password, and paste >>> it wherever it's needed. Users would be wise to follow a scheme like >>> this, rather than using their dog's name or somesuch as their passwords. >>> >>> Paul >>> >>> -- >>> Paul M. Foster >>> http://noferblatz.com >>> >> >> What is "wrong?" That users should not be copy-pasting passwords or don't >> compromise the system? >> >> I agree that users should not use weak passwords, but not everyone goes >> everywhere with a vault. I am more then capable of memorizing 20 or so 16-32 >> character full set passwords. >> > > And so you assume everyone can do that? I can remember maybe 5 of the > passwords I regularly need. (I rarely repeat passwords for different > sites.) In addition, some passwords have been *assigned* to me and > cannot readily be changed (and are usually difficult to remember). Many > of the rest I so seldom use that it would be silly to try to remember > them. Particularly when I do have a password-locked file I can use to > record them for me. > > Under the circumstances I described, I have yet to hear in what way > copying and pasting passwords compromises security of anything by > itself. Please enlighten me. > > Paul I believe you misunderstood. I believe that trimming passwords to remove spaces is a compromise of the system, not the copy-paste. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 11:51 PM, Paul M Foster wrote: > On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote: > >> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: >> >> > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: >> > >> >> Specifically: >> >> >> Dotan Cohen wrote: >> > I seem to have an issue with users who copy-paste their usernames and >> > passwords coping and pasting leading and trailing space characters. >> >> >> >> Users should not be copy-pasting passwords or usernames. Do not >> >> compromise a system to cater to bad [stupid, ignorant, you pick] users. >> >> If this is an issue then educate the users. >> >> >> > >> > Wrong. I use a program called pwgen to generate passwords for me, which >> > I cannot remember. I use another program I built to store them in an >> > encrypted file. When I have to supply a password which I've forgotten >> > (as usual), I fire up my password "vault", find the password, and paste >> > it wherever it's needed. Users would be wise to follow a scheme like >> > this, rather than using their dog's name or somesuch as their passwords. >> > >> > Paul >> > >> > -- >> > Paul M. Foster >> > http://noferblatz.com >> > >> >> What is "wrong?" That users should not be copy-pasting passwords or don't >> compromise the system? >> >> I agree that users should not use weak passwords, but not everyone goes >> everywhere with a vault. I am more then capable of memorizing 20 or so 16-32 >> character full set passwords. >> > > And so you assume everyone can do that? I can remember maybe 5 of the > passwords I regularly need. (I rarely repeat passwords for different > sites.) In addition, some passwords have been *assigned* to me and > cannot readily be changed (and are usually difficult to remember). Many > of the rest I so seldom use that it would be silly to try to remember > them. Particularly when I do have a password-locked file I can use to > record them for me. > > Under the circumstances I described, I have yet to hear in what way > copying and pasting passwords compromises security of anything by > itself. Please enlighten me. Correct me if I'm wrong, but If you initially type the username and password into a file, and you have, in my paranoid scenario, a keylogger you don't know about, it get's logged, but also, i assume it would get logged if you typed it in as well, on the site, or that someone could lift the password if given the authority on your system, correct? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Static content at runtime
k...@bitflop.com wrote: Hi. I am currently looking into improving a system that (like many systems) generate static content at runtime. I have always been against generating static content at runtime and believe static content should be generated by a cronjob or manually at some idle time (if possible). This will provide real static content (no PHP at all) that doesn't need to be checked every time a request is made hence a huge performance benefit is achieved. Does your needs really call for a publishing system at all? Back in the day, machines were slow and search engines didn't like much of the URL past the "?".. thus creative app design was needed to get around these issues, such as publishing systems and caching etc... Since it was stated you are "improving a system".. I thought this would be something to consider. Today, it's a lot easier to create a punctual, scalable, and search engine friendly app that doesn't use a publishing system (nor caching). Anyway, my point is sometimes "improving" a system, can mean making it simpler. If publishing or caching is not needed, why complicate the matter?.. and btw, I found that Billy Hoffman article to be inaccurate in many of his assertions. Cheers, Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] how would I do this?
> -Original Message-
> From: David McGlone [mailto:da...@dmcentral.net]
> Sent: Monday, December 27, 2010 1:14 PM
> To: PHP
> Subject: [PHP] how would I do this?
>
> Hi all,
>
> I am trying to make the link in this code not show the underscore and I
can't
> figure out how I could do it. I've tried various different things I
thought
> would work. I've tried things like "lawn_maintenance"=> "lawn
> maintenance", I tried concatinating "lawn" . "maintenance" and various
> other things. The examples above both produce just the word "lawn"
>
> here's the code I have so far:
>
> $services = array(lawn_maintenance, core_areation, over_seeding,
> hedge_trimming, mulch_installation, natural_debris_removal,
> leaf_cleanup_removal, snow_plowing);
>
$services = array('Lawn Maintenance', 'Core Areation', 'Over Seeding',
'Hedge Trimming', 'Mulch Installation', 'Natural Debris Removal', 'Leaf
Cleanup Removal', 'Snow Plowing');
echo '';
foreach ($services as $service){
// echo "» $service";
echo ''.$service.'';
}
echo '';
Happy holidays, new year, & coding,
Tommy
>
> Could anyone give me a hand? Obviously I don't understand arrays very well
> :-/
>
> --
> Blessings
> David M.
>
> --
> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
> http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Wed, Dec 29, 2010 at 12:00:01AM -0500, David Hutto wrote: > On Tue, Dec 28, 2010 at 11:51 PM, Paul M Foster > wrote: > > On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote: > > > >> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: > >> > >> > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: > >> > > >> >> Specifically: > >> >> > >> Dotan Cohen wrote: > >> > I seem to have an issue with users who copy-paste their usernames > and > >> > passwords coping and pasting leading and trailing space characters. > >> >> > >> >> Users should not be copy-pasting passwords or usernames. Do not > compromise a system to cater to bad [stupid, ignorant, you pick] users. If > this is an issue then educate the users. > >> >> > >> > > >> > Wrong. I use a program called pwgen to generate passwords for me, which > >> > I cannot remember. I use another program I built to store them in an > >> > encrypted file. When I have to supply a password which I've forgotten > >> > (as usual), I fire up my password "vault", find the password, and paste > >> > it wherever it's needed. Users would be wise to follow a scheme like > >> > this, rather than using their dog's name or somesuch as their passwords. > >> > > >> > Paul > >> > > >> > -- > >> > Paul M. Foster > >> > http://noferblatz.com > >> > > >> > >> What is "wrong?" That users should not be copy-pasting passwords or > don't compromise the system? > >> > >> I agree that users should not use weak passwords, but not everyone > goes everywhere with a vault. I am more then capable of memorizing 20 or > so 16-32 character full set passwords. > >> > > > > And so you assume everyone can do that? I can remember maybe 5 of the > > passwords I regularly need. (I rarely repeat passwords for different > > sites.) In addition, some passwords have been *assigned* to me and > > cannot readily be changed (and are usually difficult to remember). Many > > of the rest I so seldom use that it would be silly to try to remember > > them. Particularly when I do have a password-locked file I can use to > > record them for me. > > > > Under the circumstances I described, I have yet to hear in what way > > copying and pasting passwords compromises security of anything by > > itself. Please enlighten me. > > Correct me if I'm wrong, but If you initially type the username and > password into a file, and you have, in my paranoid scenario, a > keylogger you don't know about, it get's logged, but also, i assume it > would get logged if you typed it in as well, on the site, or that > someone could lift the password if given the authority on your system, > correct? Well, let's see. My system sits behind a firewall. No external services are advertised to the internet. All internal addresses are non-routable. I do not use or have any wifi. The system sits in my home office. I use a Debian Linux system and practice very safe computing. I often investigate little-known sites before surfing to them, and never accept temptations to click on ads. In fact, I have my /etc/hosts file set up to block the vast majority of ad servers (I see a fraction of the ads most people see). I never download content of questionable origin, nor accept it from others without investigating it first. I have a root kit detector installed, which I periodically use. I'm the only person who uses this computer. No one who enters this space is more knowledgeable than I am about computers (= not capable of hacking a computer). And suffice it to say that I'm easily capable of dropping an intruder in his tracks from a distance should he enter my abode uninvited. Moreover, the law here allows me to do so with impunity. Now, theoretically, assuming I'm entering a password over an unencrypted internet connecton (non-HTTPS), someone could theoretically capture that password. However, I can't think of the last time I've been asked to do such a thing, if ever. And if invited to do so, I would check first what kind of content such a hacker would thereby gain access to. If the content wasn't that important, then it wouldn't much matter to me if they captured the password. (I've worked at places where a password on in unencrypted internet-facing server would give someone access to the bug-tracking system. Big deal.) So, yes, on planet Epsilon-3-Bingo, perhaps. But here? Unlikely. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
It would seem that with in the streaming of information that moves across networks, that such things as virus detection within these networks(meaning governmental oversite of info...post 9/11), which, if I'm not mistaken is regexing for matching strings of definitions, are checked for as they stream through systems, leaving mainly encrypted versions for release. That way, even if they don't stop it, and watch it propagate(to see what it does), then they still know you weren't a part of it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
