Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Why would you? The only time you actually process it is for getting the hash from your user's password plus your salt.
-
I've came across an article one time where the author explained how companies like FB make variations of user password to assist forgetful users leading to lesser count of password reset.
The logic for example:
A password like => "MyNewP@sswoRd";
----- Results in Variations ------
=> "MyNewP@ssword"
=> "myNewP@sswrd",
=> "MynewPassword"
Facebook makes variations like above though not specific, and these variations are used during validation of credentials on the user's trusted (most used) devices when the main password is wrong. -
No, but I sometimes force lowercase the first letter because mobile keyboards are retarded. But you should pass the password more or less directly to a hash function.
-
I don't think I should touch the password at all and treat it like a binary blob that just gets used in a hash function somewhere
The only thing that I can imagine doing is blacklisting certain unicode characters, but then again if you put an emoji in your password you're asking for it to break. -
dder22813y@GiddyNaya what in the fuck ? To when I’m brute forcing, with one attempt I actually try a handful of passwords ? Or is it displayed to the user “hey, maybe try one of those instead” ?
-
@dder If you mean the Facebook implementation... Brute forcing is of no use since your machine is not a trusted device.
-
If your password rule is to not allow whitespace then you alert the user to change the password once whitespace is there.
Personal question...
Do you "trim/remove" whitespaces from your user's password?
Why or Why not?
question
account password