Ticket #497 (closed Feature Request: worksforme)

Opened 2 months ago

Last modified 2 months ago

Allow symbols to be used in long usernames and passwords for local DB authentication

Reported by: scott [at] scottbarasch [dot] com Assigned to:
Priority: normal Milestone: WifiDog Auth Server 1.0
Component: Auth server, Authentication, permissions and access control Keywords: password, complex, complexity, symbols
Cc:

Description

Currently, the wifidog-auth server only allows local database authentication accounts for regular users to be composed of numbers and letters (upper or lower case).

In order to fully support complex and secure passwords, standard ascii symbols, numbers, upper and lowercase letters should all be supported up to and including a password size of 40 chars. The username field should support at least 40 chars, to support long SIDs, and long first, middle, and last names, when using a convention for naming such as "firstname.middlename.lastname.number(company org)"

This is quite a common security pitfall in some web / database information systems, as it forces a user to use a less secure password. This is often done because it is somewhat hard to protect symbols from being used as SQL injection attacks or to corrupt sql statements from the software to the database. Commonly escaping the chars used for the password and username (the username should allow for spaces, numbers, upper and lower letters, and symbols, as well.) when writing to the database should solve this problem, and add for much additional security.

Attachments

Change History

(follow-up: ↓ 2 ) 10/07/08 11:07:27 changed by benoitg

For the record, the reason for this restriction isn't SQL encoding, it's that the code to check password syntax is common for all authenticator. Internally, wifidog can deal with any credential taht can be verified against it's md5 hash.

So filling this feature request involves spliting the syntax verification code to make it per-authenticator.

(in reply to: ↑ 1 ) 10/15/08 00:19:18 changed by scott at scottbarasch dot com

Replying to benoitg:

For the record, the reason for this restriction isn't SQL encoding, it's that the code to check password syntax is common for all authenticator. Internally, wifidog can deal with any credential taht can be verified against it's md5 hash. So filling this feature request involves spliting the syntax verification code to make it per-authenticator.

I actually did some further testing, and noticed that this feature was recently implemented between the time I originally tested the source code back in May 2008 or so, and when I finally managed to write up the feature request, a few weeks ago. I thought the platform I was referring to in the bug-report was up-to-date, but I had only updated the wifidog-auth source truck to about mid-August 2008, and not the wifidog source trunk (which was dated from about 2006 or so).

I'm marking this ticket as resolved. (Though I'm not sure how to do this on this system)

RESOLVED

10/20/08 16:31:36 changed by networkfusion

  • status changed from new to closed.
  • resolution set to worksforme.

Closing due to more information from the reporter.

Add/Change #497 (Allow symbols to be used in long usernames and passwords for local DB authentication)




Action