0
Never know the user's password, we must encrypt the user's password, and can not save the user's original password directly in the database. Do not limit the user password format. If the format is specified, it may be exploited and cracked by the attacker. Of course, we need to limit the minimum length of the password. It is recommended to use at least 8 bits. The longer the better.
For password security, developers need to:
1, absolutely can not know the user's password, we must encrypt the user's password, can not save the user's original password directly in the database.
2, do not limit the user password format, if the format is specified, it is likely to be exploited and cracked by the attacker, of course, we need to limit the minimum length of the password, it is recommended to at least 8 bits, the longer the better.
3, can not send the user password through the mailbox, when we develop the application to retrieve the password, the user password is not notified to the user by email, but the link to reset the password is sent to the user in the form of mail, let the user Go to reset the password.