Security: HTML password input
18 octobre 2014 à 19:06
So, except few exceptions, almost all passwords shouldn't have "any" limit on the size of them upward (= no maximum length). Riiiight? :)
(Since they aren't supposed to be stored in raw form anyway and most (if not all?) hashing algorithm accept any size of password and always return unique constant length string)
So why HTML doesnt prevent bad ideas to be working? Like setting a maximum length on a password input… The way I see it, that would just not work and be reported in the console for debbugging purpose.
For the things I, so called "exceptions", I was thinking about PIN codes for instance. I could imagine letting HTML implements a new tag (or a new type of input tag) allowing a max length, but surely it would surely be abused though… Maybe those "PIN code" input should allow one fixed-length of password (as expected from a PIN code anyway and that would induce way less abuse too):
Finally, my browser (maybe some others too, mine is currently Palemoon, a implementation of Firefox) only prevent me to type more characters when I reach the maximum allowed by max-length, …, it doesnt warn me, it does nothing but preventing… The problem is that, if it was plain text, I could notice it easily, but as it is a password input and that my password is longer than the visible length of the field, then I have no fucking clue that what I'm currently typing is thrown away as I type it… -_-
So, some fucking warning would be appreciated at least!
— Permalink
(Since they aren't supposed to be stored in raw form anyway and most (if not all?) hashing algorithm accept any size of password and always return unique constant length string)
So why HTML doesnt prevent bad ideas to be working? Like setting a maximum length on a password input… The way I see it, that would just not work and be reported in the console for debbugging purpose.
For the things I, so called "exceptions", I was thinking about PIN codes for instance. I could imagine letting HTML implements a new tag (or a new type of input tag) allowing a max length, but surely it would surely be abused though… Maybe those "PIN code" input should allow one fixed-length of password (as expected from a PIN code anyway and that would induce way less abuse too):
Finally, my browser (maybe some others too, mine is currently Palemoon, a implementation of Firefox) only prevent me to type more characters when I reach the maximum allowed by max-length, …, it doesnt warn me, it does nothing but preventing… The problem is that, if it was plain text, I could notice it easily, but as it is a password input and that my password is longer than the visible length of the field, then I have no fucking clue that what I'm currently typing is thrown away as I type it… -_-
So, some fucking warning would be appreciated at least!
— Permalink