|
|
|
|
|
|
by elehack
5369 days ago
|
|
|
A while ago, Tracfone's web site had a rather disappointing bug. Both the account registration and login flows did password validation, and used different validation functions. The result was that I could create an account with a password containing special characters that the authentication system would reject as containing invalid characters (and therefore not even try to verify against my stored password/hash). Moral: account registration and authentication must use the same password normalization functions, and if you validate at auth time (which is pointless, but hey), the validation function must be the same as the registration one. Better moral: just don't do silly things with passwords. Encrypt them and store them, accepting whatever the user wants to send you that's sufficiently long/high-entropy. |
|
|