RE: suggesting passwds to users

["Matt Fisher" <mfisher () spidynamics com>]

The first thing I think of in this scenario is what "random" means.  I
don't know that much about rand generators, but I do know that some have
been flawed, and presented not-so-random numbers.  
 

> -----Original Message-----
> From: James Barkley [mailto:James.Barkley () noaa gov] 
> Sent: Friday, April 15, 2005 3:20 AM
> To: webappsec () securityfocus com
> Subject: suggesting passwds to users
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
>
> A user authenticates with a username/passwd and you not only 
> give the user the option to change his/her password any time 
> they want but also make it mandatory that they change their 
> password at least once every so often (e.g. 6 months).  You 
> know that users are not good at choosing good passwords, but 
> you happen to have a good application module for generating 
> random strong passwords.  So, when the user is at the change 
> password page and about to type in "Mets4Ever" as their new 
> password, why not give them a list of 10 or so 
> cryptographically strong, randomly generated passwords as 
> suggestions for them.
> Assuming you are using https, then this seems like reasonable 
> security... or am I missing something?
>
> - -Jim Barkley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
>  
> iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt
> zPNrsUoEcHrAlvIqbunriPM=
> =EYEs
> -----END PGP SIGNATURE-----