disallowed characters in passwords

Discussion in 'Suggestions and Feedback' started by Mark Oliver, Apr 5, 2014.

  1. In addition to these chars : ! @ # $ % ^ & * + = shown for disallowed control panel passwords I tested ][{};-, they are also disallowed. In addition to the incomplete list IMHO this restriction is yesteryears crap, it makes your passwords easier to crack and are out of sync of most modern sites, for instance the ASP.NET Configuration tool needed to setup SQL Server. Is this your programmer's feeble defense against SQL injection attack?

    Though the intent was "disallowed" instead of "allowed" the below error message is partially correct, the special characters ! and % are allowed. The addition to the characters in the error message most other special characters are disallowed/ allowedErrorMessage.gif
     
  2. mjp

    mjp

    Hello Mark. Our developers cannot make any attempt, feeble or otherwise, to protect you from SQL injection, since we don't develop your public-facing SQL interfaces. And that is where injection takes place, as I'm sure you know. The database password doesn't enter in to the equation.
     
  3. I was referring to the database you have with your customer's Control Panel and SQL login information, I have no idea if what you use is susceptible to SQL injection attacks or not; I was speculating why you have yesteryears' restrictions on special characters in passwords. Modern sites instead of restricting special character use require at least 1 in passwords, like the ASP.NET Configuration tool. This increases the difficulty of hacking otherwise susceptible passwords like birthdays or initials. Are you going to fix the bad error message I documented above? Change "allowed" to "disallowed", remove ! and %, add the other special characters that are disallowed. Or you could modernize and allow all 7 bit ASCII characters between 0x21 and 0x7E? Then you wouldn't need a invalid character error unless somebody tried something over 0x7F.
     
  4. mjp

    mjp

    Well, I can't argue with you there, mainly because the Control Panel is from yesteryear, being that the foundation was built more than a decade ago, in 2003.

    As we built on to that we built on the existing foundation, we didn't replace it. We have added a lot of functionality, but generally we don't change something that already works. Since the Control Panel ties in to many different aspects of the platform as a whole - and since tens of thousands of users are accustomed to the way it works - it isn't necessarily a trivial task to make a change to how any single element of it works. As I'm sure you can imagine.

    You might give that a try again. !@#$%^&*+= definitely are allowed.

    I certainly believe you when you say you ran into a problem there. But I created a few SQL users using passwords with the allowed special characters (one password with all of those characters), to see if I could see what you're seeing, but the passwords were all accepted without any issue. So I'm afraid I'm not sure what part of the restriction you were running in to when you were attempting to create a password.
     
  5. FrankC

    FrankC DiscountASP.NET Staff

    I checked the code again, it's using the following regular expression to validate

    ^[0-9A-Za-z!@#$%^&*+=]*[A-Za-z]+[0-9A-Za-z!@#$%^&*+=]*$

    It should allow all these characters "! @ # $ % ^ & * + ="
     
  6. Sorry, my mistake. The matches appear to follow the regex above only if the first * is escaped "\*" . the second * is turned "lazy" "*?", and the third * is escaped "\*". A "greedy" second * would always return 0 matches because the it would consume all allowed characters to the end of line, then the [A-Za-z]+ would fail.
     
  7. FrankC

    FrankC DiscountASP.NET Staff

    can you give me an example of the password you are trying to use? i can test it with a regex tester
     

Share This Page