WebApp Sec mailing list archives
Re: suggesting passwds to users
From: Saqib Ali <docbook.xml () gmail com>
Date: Mon, 18 Apr 2005 12:55:34 -0700
I suppose you could generate word-form passwords such as g@L@xi3$ (galaxies) to try and manage the user. You have to compare the threats: is it more of a threat for a user to write down their password or to use the same password they have on 50 other web sites. I'm not sure what the answer is here....
Yup the answer will depend on your application, and the env you users are working in.
No offense, but DUH! Isn't it impossible for a computer to generate a truly random number without user interaction (such as random mouse movements to generate entropy, as gnupg asks the user to do when generating pub/priv keypairs)? Nevertheless, as your pseudo-randomness tends toward zero you will hit a point that is statistically acceptable. Like when scientists agree that 1x10^-200 chance of occurence can reasonably be considered impossible.
I m not going to comment on this :)
This is a not a bad idea, but I'm not sure my server can handle doing a dictionary/bruteforce attack on a user chosen password on the fly in enough time to return a response to the user. Some of these systems
You don't have to do it on-the-fly. You can run a CRON job on a nightly basis to do thorough verification of the password complexity. And prompt the user to change when they log in next time. -- In Peace, Saqib Ali http://validate.sf.net
Current thread:
- suggesting passwds to users James Barkley (Apr 18)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users robert (Apr 21)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- <Possible follow-ups>
- RE: suggesting passwds to users Matt Fisher (Apr 20)
- Re: suggesting passwds to users hggdh (Apr 21)
- RE: suggesting passwds to users Scovetta, Michael V (Apr 21)
- RE: suggesting passwds to users maburns (Apr 21)
- RE: suggesting passwds to users Sohl, Greg (Apr 21)