Should we remove any characters from passwords?
Or do we just need to run away and prepare a password and give the user the option of each character and special character? I mean, at the end of the day, people trying to implement SQL will fail and they just go out of line, and am I correct in saying that there is no need to punish a normal, law-abiding citizen for other people doing wrong?
+3
user4343646
source
to share
1 answer
No, do not remove any characters from passwords. If you follow best practice and use password_hash
and password_verify
, the only thing you will store in your database are harmless hashes. Removing any characters can weaken the strength of their password for nothing.
+3
source to share