@galaxis and Microsoft's login limits password length to 20 chars, last time I checked.

[ s e c u r i t y ]

@MxCraven @galaxis why use a password hash function, making literally any string of any length completely safe for use in passwords, and also protecting your users' passwords way better at rest, when you can just ban the characters

@00dani @galaxis You could still inject something before it's hashed I guess.

When I see these I usually assume whoever wrote it was just following the generic "Never let any fucker enter these characters into any text box" rulebook

@MxCraven @galaxis that's so silly and unnecessary though? you can simply parameterise your database queries properly and then injection is impossible, no matter how weird the arguments you get from end users are

@galaxis
Sounds like there could be a vulnerability hiding behind that limitation.

They must be using a hashing algorithm that are unable to hash those characters! ;)

@galaxis Seeing as how they're too lazy to sanitize their inputs, I really wonder if the character checker is implemented on the frontend or is otherwise easy to bypass.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!