Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Reminds me of a password security policy that listed few SQL statements that can't be used in passwords.


That was probably to prevent SQL injection, right?


Properly implemented parameterized SQL would allow

    '; drop table users; --
As a password without batting an eye.


Unless I'm missing something here, lacking parametrization is not the issue here. The issue is that it's obvious they are saving the password in plaintext instead of hashing it, otherwise the password would never get close to an SQL query to allow injection.


But since you can't guarantee that every programmer and contractor, including future ones, write proper SQL, it's nice to reduce the attack surface a bit.


Reduce the attack surface by running the password through a proper modern Key Derivation Function (KDF) such as Scrypt before passing it to the database, not by running it through a few regexes.


hey man don't post my password here. Now I gotta change it again and I'm running out of good sql queries.


Can you really prevent SQL injection via a blacklist?


A finite blacklist? No, I don't think so. A regex blacklist? Yes; trivially if you can be radically overly cautious.


Citi is the same way...

Nothing in their policy about what isn't allowed[0] and they updated their system one weekend and my password quit working because it had % in it. I called tech support over it and they offered no additional guidance.

https://www.accountonline.com/cards/svc/OutsideView.do?forwa...


Citi Student Loan website maxes out at 6 or 7 characters and is utter garbage on top of that. Worst case though, someone could pay my student loans for me I guess.


In the worst possible way - it makes clear that they're vulnerable to it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: