4
Is space a valid component of a password or not? I am trying to save recent 10 passwords in one string in database and need to find a good delimiter for them. I think space maybe a good candidate. What do you think?
5YrsLaterDBA
Posted 2010-02-22T13:23:28.840
Reputation: 395
6
It depends on your password policy. I know quite some sites/systems where the space is a valid character for a password. To be on the safe side you could check for spaces within the password and escape those.
Oh, and as a short update: Try to repair the database design. As you have a 1:n relationship, you should save each password separately and connect every entry to the according user.
DaDaDom
Posted 2010-02-22T13:23:28.840
Reputation: 288
5
Spaces are normally valid. I'd be wary of any delimiter, as it's a form of security through obscurity that someone won't crack it or accidentally stumble on it in the future and you'll have to figure out the bug.
I'd use a separate entry for each one.
You don't mention what application this is...if you're making the application, you could try doing something to enforce your own policy that would scrub out and sanitize the entry, or you would more sensibly hash the password (you generally don't want actual passwords saved) and the hash wouldn't have the password in it. Then I suppose you could use whatever delimiter you want as long as it isn't part of the hash namespace of characters.
Bart Silverstrim
Posted 2010-02-22T13:23:28.840
Reputation: 1 755
2+2 for hashing. Hashing w/ hex encoding has the advantage that your only going to get 0123456789ABCDEF, and you can use anything that's not those to delimit the password. (And has the added security advantage that it's more difficult to recover a password from your stolen database) – Jason – 2010-02-22T14:26:28.477
The hash idea is good IF the password doesn't have to be stored in plaintext. Although I also guess that it is meant as a "recent passwords" history, "student" didn't mention the actual purpose of storing the passwords. – DaDaDom – 2010-02-22T14:33:08.073
1@DaDaDom: Even if recent history of passwords, you just take their inputted password, hash it, compare to what's in the history of hashes...if the hashes match, it's been recently used. Story plaintext passwords is normally a bad idea. – Bart Silverstrim – 2010-02-22T15:10:31.400
I often use 2-4 word phrases, with spaces, as a passphrase -- specifically because the space is an uncommon password character, making it less likely to be cracked (it's also really fast to type, since it's just like typing a normal sentence). I'm always annoyed when I find the rare service that doesn't let me use spaces. Hashes would be good... or if you really want to store plaintext, just escape the delimiter in the password strings. – Josh – 2010-02-22T15:14:37.230
@Bart: For that case, as you mentioned, hashing IS the solution. But maybe there is some other purpose for storing the password which needs them to be stored in plaintext. We don't know ... – DaDaDom – 2010-02-22T15:29:23.457
@DaDaDom: You're right, I was just addressing the recently used password list case :-) – Bart Silverstrim – 2010-02-22T15:38:12.560
5DON'T STORE UNENCRYPTED PASSWORDS IN YOUR DATABASE. – Ken Liu – 2010-02-22T15:40:37.847
1
You can't rely on space, as it is a valid password character on most systems, especially now that pass-phrases are the new passwords.
Depending upon what/how you are doing this, you might be able to use a char with ASCII 0x00, another character not normally found on a keyboard or what about unicode?
Personally, I wouldn't attempt to concatenate them into a single string, I'd probably store a entry for each password.
Bryan
Posted 2010-02-22T13:23:28.840
Reputation: 1 563
3
As @Bart said - HASH the password. Read this to help explain why: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/
– Rory Alsop – 2011-11-02T10:08:10.117