|
somebody is using some piece of software which he never reviewed.
Press F1 for help or google it.
Greetings from Germany
|
|
|
|
|
ithinkwhitespaceisaspecialcharachterinsertsmiley
... such stuff as dreams are made on
|
|
|
|
|
Well, filenames can't have certain characters, so in some cases, telling the user that is okay, in my eyes.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
If you are naming a file, then it's understandable to check for those characters. But not in a username or password or plain text input field to be inserted into a file or database.
If you think 'goto' is evil, try writing an Assembly program without JMP.
|
|
|
|
|
Password raise a scary thought. If they're rejecting special characters in a password it implies they're writing it straight into the database as plain text without hashing it.
|
|
|
|
|
A very good observation.
There is another argument (I am not saying that it is valid, though:
I prefer to use passphrases, not passwords. Phrases have space in them. If you prefer to primarily work in a command line environment (read: You're a Linux guy), you want the password to be an argument on the call line, like -p passwd. Standard command line parsers want the argument value to be a single word, or you would have to quote it, and that is too cumbersome.
You can go on from there: If the real -p argument starts with (/contains) a quoting charcter (there are several), a hyphen, a backslash, ... then it must be quoted in some suitable way, even if it consists of a single word. The method of quoting may depend on which special character(s) that makes quoting necessary.
In a GUI, you don't have to be concerned about printable characters - they are all valid. Of course the encoding must be defined - trying to use an 8859-1 encoding of the key to decrypt a document which was encrypted with an UTF-8 encoding of the same key won't work. As long as you state that 7 bit ASCII "should be enough for everybody" (again: You are a Linux guy) different encodings is not an issue: ASCII is a subset of all 8859-variants and of UTF-8.
So if you rule out non-ASCII characters to avoid encoding issues, and all those characters that is affected by command line parsing conventions, there isn't that much left beyond a-zA-Z0-9.
|
|
|
|
|
You wouldn't want to pass passwords as a parameter because then you can't control whether or not they're being logged by anything watching stdin. I'd be OK with the limitations being on some transport layer like only accepting ASCII or UTF-8. I more take issue with validation where they characters like '<', '>' and '&' are blocked, or in the most severe cases I've heard of words like 'select', 'where' and 'script'.
Actually I'm reminded of a an argument I had with a security 'expert' when I was a junior dev. He said I'd failed one of his security tests because the form I'd built accepted a SQL Injection. I'd used Linq to SQL so the attempt at injection had just been perfectly escaped and stored as a string, but he was pretty adamant the UI should be blocking submission.
|
|
|
|
|
I wouldn't want them applications to require the password as a parameter, but nevertheless I have to accept it when the application is not one that I can change. There are load of them out there, requiring the password as a parameter!
Bamboo (the CI system) recognizes this, and lets you pass the password through a bamboo defined variable. If the name of this variable contains the substing 'password', in the log files from the build, the actual value is not printed; the log rather displays a number of asterisks.
I hate it when some site tells me "Your new password looks too much like your old one", which proves that they store the password in cleartext. Other sites refuse passwords having the site name or service name as a substring, or my user name as a substring (even if it makes up only five of the twenty characters). It is like they say "We do not accept any sort of memorizing rule - we insist on passwords that are so meaningless that you HAVE to write them down".
Kerberos was (/is) a very well designed single-sign-on system developed in *nix environments. Unfortunately, MS didn't wait until it had been established as The *nix authentication system, but were in the forefront, including Kerberos in Windows. To the *nix community, that was like poisoining Kerberos - it was instantly made intouchable in *nix environments. You do not want to touch anything that has been soiled by MS.
Yet, Kerberos is a great system: An authentication (login) service sends you a (time limited) proof of your identity, encrypted with your password. No PW is transferred across the net. If you cannot decrypt it locally, it has no value. If you can decrypt it, you can ask a ticket servcice (or several) for (time limited) tickets to various services, by showing this certified ID card as a proof of identity. You can access any number of services without re-specifying any password. The ticket service may, based on the authorizations in the ID card or its own database, issue tickets with limited or extended rights. A service need only look at the ticket to decide what to make avilable and for how long - the identity of the requester is available, but many services need not relate to it. A lot of extra security features is built into the tickets, such as expected client IP adddress (making stolen tickets worthless from other sites), service authentication (the ticket has fields encrypted with the key of the service) ect.
It really is a pity that Kerberos did not break through as The Internet login method. If MS could just have held back until *nix people had started promoting it as their solution... but that didn't happen. Kerberos was lost and login procedures remain at stone age level.
|
|
|
|
|
I used to have an Amiga 1000 which allowed filenames to have special characters and even non-printable characters. It worked great. That computer was way ahead of its competitors.
|
|
|
|
|
I was a student in the minicomputer era, and when we managed to get hold of the Administrator password, we created users with ESC in the password. On this OS, ESC was used to escape(!) out of the current operation, such as specifying the keyword. The login procedure was restarted. I, and a few other students could still login, by escaping the ESC. You wouldn't discover it by watching us log in: When reading the password, nothing was echaoed.
When *nix arrived, we excelled in making file names such as ../myfile, or \r\n/myfile (backslashes were not escapes), or with a backspace character in the name. Maybe some of these file names are illegal in modern *nixes - given that the primary user interface is a command line, a few restrictions can make sense.
|
|
|
|
|
IMHO, there shouldn't be any restrictions on length or composition of a password if they are using proper security. It looks like they are either storing passwords as clear-text, which is incredibly bad, or they are encrypting the passwords in the database, which is also bad. If they used salted hashes, like they should, none of it would matter.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Wait, what, he was writing a product review, nothing to do with passwords.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
For short terms with very specific semantics I tend to be more tolerant to syntactic restrictions (although I will do what I can to reduce them). For example passwords, you may have to specify them through a variety of input mechanisms (GUI, command line interface, smartphone app, ...), with no guarantee that the device provides all the characters. If you are abroad to give a demonstration of your new web site, requiring logon, and the password you use is "Vømmøl", how do you specify it on that US keyboard? (In case you wonder: Vømmøl is a dialect variant of vadmel, which is Norwegian for a homespun wool quality used for working clothes. Knowing that won't help your login, though!)
For a plain text, like this product review, I have much stronger objections. Such a text should be left untouched by digital hands. You should be allowed to use any printable character, and essentially non-printable as well. It should be treated as a binary blob except by those functons that actually relate to the text contents.
But we computer guys think it is just so convenient having access to the <, / and > as text. We crave for these special characters, these escapes. "For convenience" we do not want text contents to be any arbitrary sequence of characters.
We are beginning to learn, the hard way, about the dangers of SQL injection (everybody knows https://xkcd.com/327/ today), but we are still accepting HTML code injection. A few years ago, numerous web sites would mess up the screen completely if you happened not to add the appropriate closing tags. There is less of that nowadays, but still text may disappear in mysterious ways because the author was unaware of the special semantic meaning of <. Or of the ampersand. Or the backslash. Or ...
HTML, or other text-based markup, is not fit for human consumption. Visible characters are text, not markup. If there is a need to add markup, it should be done outside the text, and the code-behind may use whatever internal encoding it wishes, as long as it does not interfere with the text contents. Ordinary users think it perfectly OK to click an "italics" or "chapter level 2" button; those insisting on textual taggig are essentially the computer guys!
CP gives us a helping hand through the Preview pane. That is really an emergency workaround - other net fora offer editors where the writer works directly in the "tags interpreted" format. Yes, that requires more work; the input editor cannot be limited to 7-bit ASCII (or its relatives). But if you don't want to look stone age, you have to make that effort.
|
|
|
|
|
I would limit you to the 26 letters and the ten digits.
|
|
|
|
|
YouMeanYouWouldNotLetHimEvenUseSpacesQuestionMark
Software Zen: delete this;
|
|
|
|
|
|
YOUARERIGHTIMISSEDTHATISTHISBETTERYOUMEANYOUWOULDNOTLETHIMEVENUSESPACESQUESTIONMARK
Software Zen: delete this;
|
|
|
|
|
OK, that's good. It is exactly what I meant.
Now, we old folks are allowed to use whatever characters we like. But him, 'The Youngster', should not be allowed to.
|
|
|
|
|
Few programmers are aware that space has no significance in Fortran: GOTO and GO TO are equivalent (or G OTO, if you prefer). Nor are there any reserved words: You can declare an INT EGER REAL variable or a REAL COMPLEX, so that REAL is integer and COMPLEX is real.
Disclaimer: I never worked with Fortran after Fortan-77. Newer Fortran standard may have changed these syntax rules.
|
|
|
|
|
Maybe the developer had special needs...
Anyway, what's so special about "special" characters? It's a phrase that's always got my back up. Is it just meant to be non-alphanumeric characters? These "special" characters are not so special when it comes to punctuation, etc!
|
|
|
|
|
Hey, it could be worse. I recently inherited a code base that won't even compile in release mode, only debug mode. And OFC it's using C's char type all over the place. Hey, the codebase is from 2016 mind you, so both Unicode and Unicode path names are a thing. And we're a German R&D office so umlauts are a thing as well. Ah, and the running code expects several support files RELATIVE TO THE WORKING DIRECTORY! In the meantime, I was able to toss that monstrosity. Do you want to guess what my successor did? He wrote a batch file to change to the proper folder and then launch the binary. Instead of fixing the source code to ignore the working directory. Ah, and this batch file bloody hell relies on an environmental variable to tell it where it lies itself.
A part of this, I know for a fact, is to blame on both my predecessor's and my successor's deep hate for Windows and love for Linux (so they litereally couldn't give less of a damn how to makes things properly work on Windows), another part is simply "I don't want to learn anything new since I learned coding back in the 60s". And, I kid you not, this is but a slightly redacted quotation of the answer I received when trying to teach one of those guys ARC to pass a linked list between a part they're mainaining and the part that I was maintaining.
And here we're back to where you started: Some people are just stuck in the 60s, or generally in the past. Learned coding back then, when 7-bit ASCII was the only way to go and simply couldn't care less about keeping up with the times. Even if keeping up with the tiems is but a matter of using ready constructs (like Unicode strings or c++'s list<T>).
|
|
|
|
|
I have my own thoughts on this...
Hold on a sec, I have a cold....
{cough, cough}Lazy Bastards{cough, cough}
now where was I....
oh yes, well there we go
|
|
|
|
|
It's easier to parse later with AI.
(Take the lowest common denominator font; "alpha-numerics" only.)
I think even Google at one time would stumble with "capitalized" versus "not".
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
- Read this: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- Ponder your own code that reflects user input data (like comments) back to a web page.
- Realize that disallowing ALL special characters makes the data in the DB very future proof.
Points to consider:
- Assume any input is trying to hack you
- Don't trust that the data in your DB is really safe if a user entered it originally.
e.g.,
Today you emit from DB -> HTML and everything is safe.
Tomorrow you emit from DB -> JSON and a lurking time bomb blows up in your face
as all of your customers start mining bitcoin for someone (not you).
P.S. Consider becoming a vegetarian
|
|
|
|
|
I'm not a web developer. And I'm confused. My understanding is that the complexity of protecting against possible attacks comes from HTMLs use of special characters for special purposes that may lead the interpreter of the web page (usually the browsers HTML engine) to perform actions that were not intended. (I suppose it's similar for Java, Javascript, or other languages that are ultimately interpreted by some web page interpreter or web runtime engine)
What I don't get is why this could be possible for input fields that are only meant for plain text input: aren't these recognizable to the interpreter as containers with content that shouldn't be interpreted at all?
If so, why would the contents - user-provided or not - be subjected to any restriction at all? Why should the browser even try to interpret the input field contents?
If not, why not? Why is there no way to define input field contents as off-limits to the interpreter?
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
|
|
|
|
|