![]() I haven’t investigated the question at all. I have wondered before how secure a single astral plane Unicode code point would be as a password. ![]() (And note that due to how the fancier password hashing algorithms like bcrypt work, supporting beyond ~72 characters without loss of entropy actually tends to take deliberate design and if you get it wrong, it can be a DoS vector-Django had such a problem a few years back, where you could feed it a 1MB password and keep it occupied hashing it for ages.) I think we support almost arbitrary lengths and arbitrary Unicode in both now. In FastMail, it’s much the same but without emailed codes as an option, because it is your email account that you’re trying to log in to. We then use zxcvbn for password strength detection, denying weak passwords (those where it is estimated to take less than 10⁶ attempts to guess). In Topicbox, we use emailed codes/magic links by default, but you can set a password and use that if you prefer (and if you want 2FA, you must use a password). (This is all hypothetical-I don’t believe any tools actually look at password field validation to see if they did the right thing.) So long as the form uses setCustomValidity to do its complaining when pattern isn’t enough, and the browser’s password generator knows to look at that and try again, you’re good to go. Those may be painful to shoehorn into a regular expression, but doing so is probably generally not too impractical.)įortunately, the likes of zxcvbn are very password-generator-friendly, as they’re encouraging the sorts of strong passwords password generators like to make so long as they also have similar accidentally-weak-generated-password protection, zxcvbn is unlikely to cause any trouble and can probably be ignored in defining a pattern for the generator to use. (Other rules may embed restrictions on use of names, dates, &c. I shudder to think how many megabytes long a regular expression to validate that would be, and how atrociously it would perform. To take an example I’m familiar with, on FastMail and Topicbox we use Dropbox’s zxcvbn (a truly excellent library embodying a sound approach to password security), and flat-out deny passwords that are expected to take less than 10⁶ guesses, as too weak. Step 6: Copy and paste for further use the app-specific password you generated. Few password rules can’t be expressed in such a regular expression, but there are definitely some where doing is impractical or absurd. Step 4: Define the label for the password and enter the application name for which you want to generate an app-specific password like SysInfo iCloud Email Backup Tool.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |