Re: Re: Taint checks on passwords?

Most systems implement passwords that only allow letters and numbers. In this case, a decent taint check would be:

my ($checked) = $submitted =~ m/^([a-zA-Z0-9])$/;
if (!defined $checked) { croak "Invalid name or password.\n" }
[download]

I am actually basing this on what I remember from reading said tutorial by Ovid, where you don't specify what you don't want (which is complicated) but rather specify only what you DO want, and your error message does not give away TOO much information about what went wrong to the user.

Comment on Re: Re: Taint checks on passwords? Download Code

Replies are listed 'Best First'.
Re: Re: Re: Taint checks on passwords? by monsieur_champs (Curate) on Jun 04, 2003 at 17:48 UTC
Most systems implement passwords that only allow letters and numbers. In this case, a decent taint check would be: `my ($checked) = $submitted =~ m/^([a-zA-Z0-9])$/; if (!defined $checked){ croak "Invalid name or password.\n" }` [download] Almost right. Most systems allow users to enter passwords that matches with `/[a-zA-Z_0-9\(\)\[\]\{\}\+\=\-\\\/\]{$MinPwLen,$MaxPwLen}/` [download] I would use something like this to untaint a password. Where:* `$MinPwLen` is the minimal password size in chars. `$MaxPwLen` is the maximal (if any maximal is needed password size in chars. Note: Don't forget to document and tell your users about what characters are valid to compose a password. This is very important. Note 2:Keep this kind of information away from evil internet script-kidies, they can use this to narrow a dictionary-like attack and break into your system faster. May the gods bless you =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Just Another Perl Monk	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Re: Taint checks on passwords?
by monsieur_champs (Curate) on Jun 04, 2003 at 17:48 UTC

Most systems implement passwords that only allow letters and numbers. In this case, a decent taint check would be:
        my ($checked) = $submitted =~ m/^([a-zA-Z0-9])$/;
        if (!defined $checked){
          croak "Invalid name or  password.\n"
        }
[download]

Almost right.
Most systems allow users to enter passwords that matches with

/[a-zA-Z_0-9\(\)\[\]\{\}\+\=\-\\\/\*]{$MinPwLen,$MaxPwLen}/
[download]

I would use something like this to untaint a password.

Where:

$MinPwLen is the minimal password size in chars.

$MaxPwLen is the maximal (if any maximal is needed password size in chars.

Note: Don't forget to document and tell your users about what characters are valid to compose a password. This is very important.

Note 2:Keep this kind of information away from evil internet script-kidies, they can use this to narrow a dictionary-like attack and break into your system faster.

May the gods bless you

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Just Another Perl Monk

[reply]
[d/l]
[select]