diff options
author | Andrey Andreev <narf@devilix.net> | 2015-03-31 14:01:36 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2015-03-31 14:01:36 +0200 |
commit | a8c499d0125b2e96f7f3c539f6b46cff7547aa80 (patch) | |
tree | 151c8869a8197ae1ab70039af5f796a39c1b9228 /user_guide_src/source/general | |
parent | 914ae0404e8d699440e8468314a93b81f8cb87f6 (diff) |
[ci skip] Update security recommendations
Diffstat (limited to 'user_guide_src/source/general')
-rw-r--r-- | user_guide_src/source/general/security.rst | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst index efc821f2b..fcfe4c24b 100644 --- a/user_guide_src/source/general/security.rst +++ b/user_guide_src/source/general/security.rst @@ -143,11 +143,15 @@ with that. Please read below. feature, just randomly generate a new, one-time (this is also important) password and send that instead. -- DO NOT put artificial limits on your users' passwords. +- DO NOT put unnecessary limits on your users' passwords. - There's no point in forcing a rule that a password can only be up to - a number of characters, or that it can't contain a certain set of - special characters. + If you're using a hashing algorithm other than BCrypt (which has a limit + of 72 characters), you should set a relatively high limit on password + lengths in order to mitigate DoS attacks - say, 1024 characters. + + Other than that however, there's no point in forcing a rule that a + password can only be up to a number of characters, or that it can't + contain a certain set of special characters. Not only does this **reduce** security instead of improving it, but there's literally no reason to do it. No technical limitations and |