search

OWASP / phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197 stars 103 forks source link

hasKeyboardOrderedCharacters is not localized #26

Closed vanderaj closed 10 years ago

vanderaj commented 11 years ago

Yes, US keyboard like a zillion keyboards out there, but I think you need to provide a way to supply other common keyboards, like AZERTY and so on.

abiusx commented 11 years ago

Any ideas on how to do that? Because we also need the same thing for date patterns, not everybody uses Gregorian calendars. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 26, 1392, at 3:34 PM, vanderaj notifications@github.com wrote:

Yes, US keyboard like a zillion keyboards out there, but I think you need to provide a way to supply other common keyboards, like AZERTY and so on.

— Reply to this email directly or view it on GitHub.

SvenRtbg commented 11 years ago

Localizing that function would mean the application on the server knows the keyboard layout of the client. This will never happen.

It does not matter what keyboard layout a user has - if the password is used by keyboard ordered characters on ANY layout, it should be considered weak.

So the real issue is to know all used keyboard layouts, and test with all of them.

abiusx commented 11 years ago

For now, lets go with English standard. I have a paper on this issue, we will incorporate that into the next release, It has a lot of details. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 6, 1392, at 4:48 AM, SvenRtbg notifications@github.com wrote:

Localizing that function would mean the application on the server knows the keyboard layout of the client. This will never happen.

It does not matter what keyboard layout a user has - if the password is used by keyboard ordered characters on ANY layout, it should be considered weak.

So the real issue is to know all used keyboard layouts, and test with all of them.

— Reply to this email directly or view it on GitHub.