summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/general/security.rst
diff options
context:
space:
mode:
authorAhmad Anbar <aanbar@gmail.com>2015-04-06 18:59:53 +0200
committerAhmad Anbar <aanbar@gmail.com>2015-04-06 18:59:53 +0200
commit5e50c42ef27261bc7fcb279499ce76cfc2519aa6 (patch)
treed74d660534b72ddc0b6cda9147cecfb64a225346 /user_guide_src/source/general/security.rst
parented520408514fff6486788e1543589418d24d885e (diff)
parent7726b75552f765af94038e47a4a4272ac08c646e (diff)
Merge remote-tracking branch 'upstream/develop' into develop
Diffstat (limited to 'user_guide_src/source/general/security.rst')
-rw-r--r--user_guide_src/source/general/security.rst16
1 files changed, 12 insertions, 4 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
index 0c58f96b4..fcfe4c24b 100644
--- a/user_guide_src/source/general/security.rst
+++ b/user_guide_src/source/general/security.rst
@@ -133,17 +133,25 @@ with that. Please read below.
provides them for you as long as you're running at least PHP version
5.3.7 (and if you don't meet that requirement - please, upgrade).
+ If you're one of the really unlucky people who can't even upgrade to a
+ more recent PHP version, use `hash_pbkdf() <http://php.net/hash_pbkdf2>`,
+ which we also provide in our compatibility layer.
+
- DO NOT ever display or send a password in plain-text format!
Even to the password's owner, if you need a "Forgotten password"
feature, just randomly generate a new, one-time (this is also important)
password and send that instead.
-- DO NOT put artificial limits on your users' passwords.
+- DO NOT put unnecessary limits on your users' passwords.
+
+ If you're using a hashing algorithm other than BCrypt (which has a limit
+ of 72 characters), you should set a relatively high limit on password
+ lengths in order to mitigate DoS attacks - say, 1024 characters.
- There's no point in forcing a rule that a password can only be up to
- a number of characters, or that it can't contain a certain set of
- special characters.
+ Other than that however, there's no point in forcing a rule that a
+ password can only be up to a number of characters, or that it can't
+ contain a certain set of special characters.
Not only does this **reduce** security instead of improving it, but
there's literally no reason to do it. No technical limitations and