限制密码的字符数?

时间:2015-07-31 18:38:02

标签: mysql database

如果想限制我的数据库(mysql)中可用于密码的可能字符数,我是否只需将类型设置为varchar(#of chars),例如:varchar(15)。可以使用15个最大字符?

2 个答案:

答案 0 :(得分:2)

Certainly you can limit the length of something by setting its field length in the database. But this would result in confusing situations for your users. Someone might think he's using a strong password by typing in 20-30 or more characters, but you're silently storing only the first 15. That might even cause him trouble later on if he changes his password and only changes the last few characters - to you it would be the same 15-character password. Very puzzling.

If you do limit the lenght, be very clear about it in your UI with instructions and good error messages after you check length.

But better yet, don't limit password length. The longer the better for strong passwords!

答案 1 :(得分:2)

I think you are in a very bad mindset when it comes to passwords. Here are some things to keep in mind when working with passwords.

  1. You should NEVER store plain passwords in the DB. All passwords should be hashed before being stored. The industry standard way is to use bcrypt hashing. It creates a 60 character long string.

  2. Longer the password, harder it is to crack. That means ideally you shouldn't limit the max number of characters in a password. On the other hand, limiting the min number of characters is a good idea.

  3. Read up on password salting. It is a way of adding more security to your password. bcrypt libraries do this for you - you should let it, rather than trying to come up with your own salts.

  4. If you really need to limit the number of characters in a password, do it programmatically. This way you can inform the user that it exceeds the limit. If you don't you have a scenario described in @n8wrl's answer.

If I have missed anything, leave it in the comments and I will edit the answer accordingly.