Michael said:
Lobang,
I would recommend not setting a default min/max length for
usernames (or, if you do, make it something like 300 characters or
something, and for passwords, they should be as long as the user
wants, and just store/compare the hash of the password. So if I want
War and Peace (the contents) to be my password, that's cool.
Not to disagree, but i disagree. ;-)
Firstly if these logins are going into a db, allowing arbitrary lengths
can lead to very avoidable performance issues. Why have a "Text"-type
datafild when you can use the faster varchar( 32 ). if you will have
many logins, that will lead to big performance and storage gains.
Why not just limit it at 32? Why allow a 15 megabyte username? Or a
user name that someone types in as "LobangTrader " the space being
added by the the user's kid pressing on the space bar while on the
phone. You should at least trim it.
Also the day that you might want to do LDAP synchronization or
synchronization with any other service that needs a login, you might
have problems since half your uses use @ in there names, but XXX server
doesn't allow it. Allowing names of like 32 characters, no spaces, only
letters, numbers and _,- and the other common ones would go a long way.
Furthermore the day that maby you want to make a script to give them
access to a unix or ftp account, its there. That's scallability baby
Also for passwords, i would reccomend not storing passwords at all. You
can do an MD5 password check really easily, and it frees the server from
any liability lawsuits about poeple saying "someone stole my password
off your server".
So what you do is you get the login and password, and MD5 the password
and store that into your database. Then when the user tries to logon,
you get the (HTTPS!) form data and use the java.securirty.MessageObject
class to get an MD5 encoder. MD5 is like a "code" for a string. Its
called a "one-way cypher" because you encode it one way and its
virtually impossible to decode it from the MD5 back to the original string.
Now since you are using MD5, you shouldn't allow to long of passwords
because your probability of collision (two different passwords having
the same MD5) go up as the string is big. I'de just limit it to 64
characters. A 64 character password is a pretty good limit.
Now you may ask, what if the user forgets his/her password and needs a
"get my password" e-mail? well just don't use them. Send them an e-mail
with a couple security questions, going to a specified link code that
expires in XX time like paypal, e-bay etc. Its not really hard to
implement and its pretty secure. Put a couple sample questions like
"what's your favorite food", "Your pet's name", "The street you grew up
on" etc. With that you don't need to store passwords and that helps
free your company of this type liability. (yee!
). Contact a lawyer
to make sure though
since i'me not a lawyer i can't say what frees
you from liability.
At work, a friend of mine actually made an MD5 cypherer in javascript so
even the post data, through HTTPS, was beying encoded. That means that
we didn't even know the password at any given time throughout the
process. Kind of cool to treat log ins and passwords without knowing
the passwords
Anyway thats my 0.02$ CAD so that brings you up to real money now!