Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • 43
    I can't definitively answer 'why' someone else does something. Maybe they had a security auditor who said "use a whitelisted character set for user input, and block any non alphanumeric symbols." Maybe the web package they bought came with that restriction. Maybe their Vice President of Security said "add some visible measures that give our customers the impression that we take security seriously." Who knows why?
    – John Deters
    Commented Jan 26, 2016 at 19:21
  • 195
    Well, strictly speaking, if they were interested in proper data handling, the password wouldn't be in the database to begin with (escaped or no). It'd be hashed, salted... peppered... glazed, broasted, powdered, and finally left to simmer over a low flame for 15 to 20 minutes.
    – Parthian Shot
    Commented Jan 26, 2016 at 20:28
  • 62
    Mmmm...password hash. Breakfast of champions. :-)
    – John Deters
    Commented Jan 26, 2016 at 20:42
  • 62
    They're savvy enough to care about SQL injection, but think the solution is to disallow certain characters in users' passwords? I smell a disconnect here, like a security officer somewhere knows just enough to be responsible for--but very careless with--a lot of users' data.
    – loneboat
    Commented Jan 26, 2016 at 22:29
  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Jeff Ferland
    Commented Jan 27, 2016 at 17:41