I know that to store a password you have to hash it. I use password_hash
and password_verify
to do it.
But I am surprised that some people say that you do not need to validate a password before hash it, because you are going to hash it anyway.
I think that at least it would be good practice to validate that the user enters a password with length more than an amount of characters or to make the user to input a special character (*
, "
, '
, etc). At least to make the password strong.
So here I have some questions:
- Is it considered a good practice not validate anything about the password and only hash it?
- Has an additional security to make a validation before hash the password?
- If so, what should be considered in that validation?
Note: I want to know all of these questions from security point of view.
Thanks in advance!