473,324 Members | 2,178 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

Minimum & Maximum for username/password

Hi all,

I am trying to create a username and a password class.

I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?

These fields will be something like this:

private static final int DEFAULT_MINIMUM_LENGTH = ??????
private static final int DEFAULT_MAXIMUM_LENGTH = ??????

I can easily specify my own values but I would like the classes to be
scalable and caters for future needs. Hence, I would like them to be
globally accepted.

While at it, what are the taboo characters for both values -
username/password?

Thanks in advance.

Jul 17 '05 #1
4 6012
Lobang Trader wrote:
I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?
I doubt if you'll get users to accept a minimum of more than 6.

I don't seem much point in having a maximum.
While at it, what are the taboo characters for both values -
username/password?


Why have any ?

There may be business reasons for dissalowing some characters in user names,
<tab> for example would not look good on a generated report. But that's a
business decision.

An argument could be made that forbidding " and ' would make SQL-injection
attacks less likely, but my personal opinion is that anyone who assembles SQL
statements by concatenating user-supplied strings should be shot (just as a
matter of course) so the restriction would -- at best -- encourage a false
sense of security.

-- chris
Jul 17 '05 #2
Lobang,
I would recommend not setting a default min/max length for
usernames (or, if you do, make it something like 300 characters or
something, and for passwords, they should be as long as the user
wants, and just store/compare the hash of the password. So if I want
War and Peace (the contents) to be my password, that's cool.

My $0.02.

Michael Scovetta
Lobang Trader <lo**********@hotmail.com> wrote in message news:<40******@news.starhub.net.sg>...
Hi all,

I am trying to create a username and a password class.

I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?

These fields will be something like this:

private static final int DEFAULT_MINIMUM_LENGTH = ??????
private static final int DEFAULT_MAXIMUM_LENGTH = ??????

I can easily specify my own values but I would like the classes to be
scalable and caters for future needs. Hence, I would like them to be
globally accepted.

While at it, what are the taboo characters for both values -
username/password?

Thanks in advance.

Jul 17 '05 #3
Michael Scovetta wrote:
Lobang,
I would recommend not setting a default min/max length for
usernames (or, if you do, make it something like 300 characters or
something, and for passwords, they should be as long as the user
wants, and just store/compare the hash of the password. So if I want
War and Peace (the contents) to be my password, that's cool.
Not to disagree, but i disagree. ;-)

Firstly if these logins are going into a db, allowing arbitrary lengths
can lead to very avoidable performance issues. Why have a "Text"-type
datafild when you can use the faster varchar( 32 ). if you will have
many logins, that will lead to big performance and storage gains.

Why not just limit it at 32? Why allow a 15 megabyte username? Or a
user name that someone types in as "LobangTrader " the space being
added by the the user's kid pressing on the space bar while on the
phone. You should at least trim it.

Also the day that you might want to do LDAP synchronization or
synchronization with any other service that needs a login, you might
have problems since half your uses use @ in there names, but XXX server
doesn't allow it. Allowing names of like 32 characters, no spaces, only
letters, numbers and _,- and the other common ones would go a long way.
Furthermore the day that maby you want to make a script to give them
access to a unix or ftp account, its there. That's scallability baby :)

Also for passwords, i would reccomend not storing passwords at all. You
can do an MD5 password check really easily, and it frees the server from
any liability lawsuits about poeple saying "someone stole my password
off your server".

So what you do is you get the login and password, and MD5 the password
and store that into your database. Then when the user tries to logon,
you get the (HTTPS!) form data and use the java.securirty.MessageObject
class to get an MD5 encoder. MD5 is like a "code" for a string. Its
called a "one-way cypher" because you encode it one way and its
virtually impossible to decode it from the MD5 back to the original string.

Now since you are using MD5, you shouldn't allow to long of passwords
because your probability of collision (two different passwords having
the same MD5) go up as the string is big. I'de just limit it to 64
characters. A 64 character password is a pretty good limit.

Now you may ask, what if the user forgets his/her password and needs a
"get my password" e-mail? well just don't use them. Send them an e-mail
with a couple security questions, going to a specified link code that
expires in XX time like paypal, e-bay etc. Its not really hard to
implement and its pretty secure. Put a couple sample questions like
"what's your favorite food", "Your pet's name", "The street you grew up
on" etc. With that you don't need to store passwords and that helps
free your company of this type liability. (yee! :) ). Contact a lawyer
to make sure though :) since i'me not a lawyer i can't say what frees
you from liability.

At work, a friend of mine actually made an MD5 cypherer in javascript so
even the post data, through HTTPS, was beying encoded. That means that
we didn't even know the password at any given time throughout the
process. Kind of cool to treat log ins and passwords without knowing
the passwords :)

Anyway thats my 0.02$ CAD so that brings you up to real money now!


Lobang Trader <lo**********@hotmail.com> wrote in message news:<40******@news.starhub.net.sg>...
Hi all,

I am trying to create a username and a password class.

I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?

These fields will be something like this:

private static final int DEFAULT_MINIMUM_LENGTH = ??????
private static final int DEFAULT_MAXIMUM_LENGTH = ??????

I can easily specify my own values but I would like the classes to be
scalable and caters for future needs. Hence, I would like them to be
globally accepted.

While at it, what are the taboo characters for both values -
username/password?

Thanks in advance.

Jul 17 '05 #4
Hi,

With regard to the password, I'd suggest an absolute minimum of six
characters. I prefer a minimum of eight characters. As Chris said,
the end users may want only six. Maximum? IMHO, twelve may be a good
practical limit. Not too many people are going to remember a
twelve-character or longer password ;-)

I personally like to stay away from the special characters, i.e. those
which are not letters or numbers. :-)

Yoyoma's discussion about hashing the password and storing the hash in
the database is right on the money. I wrote a password-handling class
some time ago which does just that, using java.security.MessageDigest
and the SHA algorithm(MD5 can also be used). The password is hashed
and then stored in the database table. Upon login, the entered
password is hashed; the hash is compared to the stored hash in the
database and the result dictates where the application goes next.

Have fun,
- Glenn
Lobang Trader <lo**********@hotmail.com> wrote in message news:<40******@news.starhub.net.sg>...
Hi all,

I am trying to create a username and a password class.

I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?

These fields will be something like this:

private static final int DEFAULT_MINIMUM_LENGTH = ??????
private static final int DEFAULT_MAXIMUM_LENGTH = ??????

I can easily specify my own values but I would like the classes to be
scalable and caters for future needs. Hence, I would like them to be
globally accepted.

While at it, what are the taboo characters for both values -
username/password?

Thanks in advance.

Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Philip D Heady | last post by:
Hi, I'm validating a simple form for input via post ($PHP_SELF). Near the end I check for username and password. I'm using simple if, elseif, else statements. I require them to enter password...
2
by: Hennie de Nooijer | last post by:
Because of an error in google or underlying site i can reply on my own issue. Therefore i copied the former entered message in this message....
4
by: Patrick.O.Ige | last post by:
I have a code below.(It validates against a SQL DB(login page).thats is giving me an error! When i try to use :- Session = dr.ToString(); To catch the username so as to redirect the user logged in...
15
by: Dino Vliet | last post by:
Hi folks, probably this is a question you've heard so many times but I wasn't able to find a solution to it. I'm using a shell script to create a textfile for me. It looks like...
1
by: Jeff | last post by:
hey asp.net 2.0 I'm trying to create a web page where users can register to my web portal. But I've run into a layout problem when using the data validator classes. The problem is that the...
4
by: Scott | last post by:
In order to give a meaning average value and minimum and maximum values, I would like to have a formula for a group of data after taking out those extremes. Can someone share your way to...
0
by: gunimpi | last post by:
http://www.vbforums.com/showthread.php?p=2745431#post2745431 ******************************************************** VB6 OR VBA & Webbrowser DOM Tiny $50 Mini Project Programmer help wanted...
2
by: Boujii | last post by:
<html> <head> <title>Add New MySQL User</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <? if(isset($_POST)) {
1
George Lft
by: George Lft | last post by:
ok, first of all, i built my register page using dreamweaver tool which the codes haven been out of control. Now i'm thinking that turning over everything - by using this another set of codes. And...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.