summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/general
diff options
context:
space:
mode:
authorftwbzhao <b.zhao1@gmail.com>2015-04-09 16:32:41 +0200
committerftwbzhao <b.zhao1@gmail.com>2015-04-09 16:32:41 +0200
commitb587698dd45396b91106bd7c894a79747b1fb7a9 (patch)
tree76a1d614976dd0b695e513a40f9235e3b9f7f82c /user_guide_src/source/general
parent9b9a06c9635cd3b4fce0aebe4d2eead4809999a5 (diff)
parentfd363f224d7886eb686434d7a835eaa49183d8e6 (diff)
Merge branch 'develop' of https://github.com/bcit-ci/CodeIgniter into develop
Diffstat (limited to 'user_guide_src/source/general')
-rw-r--r--user_guide_src/source/general/security.rst12
1 files changed, 8 insertions, 4 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
index efc821f2b..fcfe4c24b 100644
--- a/user_guide_src/source/general/security.rst
+++ b/user_guide_src/source/general/security.rst
@@ -143,11 +143,15 @@ with that. Please read below.
feature, just randomly generate a new, one-time (this is also important)
password and send that instead.
-- DO NOT put artificial limits on your users' passwords.
+- DO NOT put unnecessary limits on your users' passwords.
- There's no point in forcing a rule that a password can only be up to
- a number of characters, or that it can't contain a certain set of
- special characters.
+ If you're using a hashing algorithm other than BCrypt (which has a limit
+ of 72 characters), you should set a relatively high limit on password
+ lengths in order to mitigate DoS attacks - say, 1024 characters.
+
+ Other than that however, there's no point in forcing a rule that a
+ password can only be up to a number of characters, or that it can't
+ contain a certain set of special characters.
Not only does this **reduce** security instead of improving it, but
there's literally no reason to do it. No technical limitations and