[ale] a quick test of web site stupid

David Tomaschik david at systemoverlord.com
Thu Feb 28 14:43:47 EST 2013


Any website that places "limits" on your password is doing it wrong.
 Minimums are fine (and arguably good) but limiting total length, character
set, or worst of all, words that can be included is doing it wrong.  I once
saw a site that said something like:

The following are not allowed in usernames or passwords: ", ', =, /, *, -,
SELECT, DELETE, UPDATE, INSERT, UNION...

That's right: they're looking for specific keywords to prevent SQL
injection... (and I distinctly recall that *DROP* was not in their list!)


On Thu, Feb 28, 2013 at 11:22 AM, Jim Kinney <jim.kinney at gmail.com> wrote:

> This is just my opinion but....
>
> When I need to use a secure login for a web site like, say, a utility
> company or a shopping site that stores my credit card, I like to test the
> security of their coding practices by trying to use a password that has a
> '.' and a '!' in it. When they password checker complains, I take that as a
> good sign their coders don't properly escape user input data and thus are
> probably crappy in other areas.
>
> I am astounded at the number of places that still have issues (Verizon!).
>
> --
> --
> James P. Kinney III
> *
> *Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his own
> tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> *
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
> *
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130228/831e289a/attachment.html>


More information about the Ale mailing list