Re: suggesting passwds to users

[Saqib Ali <docbook.xml () gmail com>]

> I suppose you could generate word-form passwords such as g@L@xi3$
> (galaxies) to try and manage the user.  You have to compare the
> threats: is it more of a threat for a user to write down their
> password or to use the same password they have on 50 other web sites.
> I'm not sure what the answer is here....

Yup the answer will depend on your application, and the env you users
are working in.

> No offense, but DUH!  Isn't it impossible for a computer to generate a
> truly random number without user interaction (such as random mouse
> movements to generate entropy, as gnupg asks the user to do when
> generating pub/priv keypairs)?  Nevertheless, as your
> pseudo-randomness tends toward zero you will hit a point that is
> statistically acceptable.  Like when scientists agree that 1x10^-200
> chance of occurence can reasonably be considered impossible.

I m not going to comment on this :)

> This is a not a bad idea, but I'm not sure my server can handle doing
> a dictionary/bruteforce attack on a user chosen password on the fly in
> enough time to return a response to the user.  Some of these systems

You don't have to do it on-the-fly. You can run a CRON job on a
nightly basis to do thorough verification of the password complexity.
And prompt the user to change when they log in next time.

-- 
In Peace,
Saqib Ali
http://validate.sf.net