Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is there any reasoning at all behind the thinking that requires passwords such as this? These sorts of rules are so commonplace that there must be some reasoning for it?


To begin with, preventing SQL injection when passwords are stored in plain text without any escaping. (CHAR(8) field. No special characters allowed.)


That's an utterly horrible reason but I take the point.

I imagine many sites implementing these policies (some banks etc) are hashing their passwords properly and sanitizing SQL though!


I am sure operability and not security are the primary factors behind these rules.


There is reasoning; it's just not valid reasoning.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: