Simple Question About The Data In The Password Field!

Hello guys!

It’s really necessary to sanitize the password field when someone registers at the website? I have seen a lot examples where the field password has been sanitized!! Isn’t this wrong? Doing this we are preventing the user to choose a strong password. Also, the data is only saved when is encrypted. I think there’s no risk.

Normally i only sanitize the password field in the authentication/login! (NOTE: i think here isn’t also necessary, because the data is encrypted before being compared)

What you guys think about this? Im wrong? Do we really need sanitize the password field?

Well, it really depends on against what you want to protect yourself. If it is poor password choices by your users, sanitizing them in the signup form might not be the worst idea ;)

Sanitizing in login forms seems like a waste of resources, though.

I totally agree with you Da:Sourcerer about the login forms!

On the signup form, in some way, i always try to ensure the user choose a strong password by forcing him to type a password with alpha-numeric/symbols/uppercase and lowercase letters (actually the uppercase/lowercase letters, it is irrelevant, but if gives 1% more security, i will use it), etc, preventing him to have a really bad password.

That’s why i think sanitizing the password field on signup, it’s really bad and should not be done.

Hm, are you aware of the avalanche effect?

Well, that’s why the 1% for me its relevant! I mean, if with that 1% can make a substantial change on the user password (hash), i will use it! Correct me if im wrong! :P