diff options
author | Ahmad Anbar <aanbar@gmail.com> | 2015-04-06 18:59:53 +0200 |
---|---|---|
committer | Ahmad Anbar <aanbar@gmail.com> | 2015-04-06 18:59:53 +0200 |
commit | 5e50c42ef27261bc7fcb279499ce76cfc2519aa6 (patch) | |
tree | d74d660534b72ddc0b6cda9147cecfb64a225346 /user_guide_src/source/general/security.rst | |
parent | ed520408514fff6486788e1543589418d24d885e (diff) | |
parent | 7726b75552f765af94038e47a4a4272ac08c646e (diff) |
Merge remote-tracking branch 'upstream/develop' into develop
Diffstat (limited to 'user_guide_src/source/general/security.rst')
-rw-r--r-- | user_guide_src/source/general/security.rst | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst index 0c58f96b4..fcfe4c24b 100644 --- a/user_guide_src/source/general/security.rst +++ b/user_guide_src/source/general/security.rst @@ -133,17 +133,25 @@ with that. Please read below. provides them for you as long as you're running at least PHP version 5.3.7 (and if you don't meet that requirement - please, upgrade). + If you're one of the really unlucky people who can't even upgrade to a + more recent PHP version, use `hash_pbkdf() <http://php.net/hash_pbkdf2>`, + which we also provide in our compatibility layer. + - DO NOT ever display or send a password in plain-text format! Even to the password's owner, if you need a "Forgotten password" feature, just randomly generate a new, one-time (this is also important) password and send that instead. -- DO NOT put artificial limits on your users' passwords. +- DO NOT put unnecessary limits on your users' passwords. + + If you're using a hashing algorithm other than BCrypt (which has a limit + of 72 characters), you should set a relatively high limit on password + lengths in order to mitigate DoS attacks - say, 1024 characters. - There's no point in forcing a rule that a password can only be up to - a number of characters, or that it can't contain a certain set of - special characters. + Other than that however, there's no point in forcing a rule that a + password can only be up to a number of characters, or that it can't + contain a certain set of special characters. Not only does this **reduce** security instead of improving it, but there's literally no reason to do it. No technical limitations and |