WebApp Sec mailing list archives
Re: suggesting passwds to users
From: James Barkley <James.Barkley () noaa gov>
Date: Mon, 18 Apr 2005 14:38:14 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Saqib Ali wrote: | 1) Shoulder surfing might be problem for this type of solution, | since you will need to display the password on the screen for the | user to choose one. I agree this is a threat. | | 2) In my experience, if the password is randomly generated bunch of | letters, it becomes hard for the user to remember, and they tend | to write them down on a piece of paper and paste on the bottom of | the keyboard. :-( I suppose you could generate word-form passwords such as g@L@xi3$ (galaxies) to try and manage the user. You have to compare the threats: is it more of a threat for a user to write down their password or to use the same password they have on 50 other web sites. I'm not sure what the answer is here.... | | 3) Your system will NOT generate "random" password, instead it will | generate "PSUEDO-RANDOM" passwords. No offense, but DUH! Isn't it impossible for a computer to generate a truly random number without user interaction (such as random mouse movements to generate entropy, as gnupg asks the user to do when generating pub/priv keypairs)? Nevertheless, as your pseudo-randomness tends toward zero you will hit a point that is statistically acceptable. Like when scientists agree that 1x10^-200 chance of occurence can reasonably be considered impossible. | this process can can be duplicated by an attacker to generate a | list of all possible passwords, and use it in a dictionary attack. | | | An easier and better approach is to let the user choose their own | password, and then run a dictionary/bruteforce attack on the | password file to make sure they are strong password. If they are | not, prompt the user to change them. | This is a not a bad idea, but I'm not sure my server can handle doing a dictionary/bruteforce attack on a user chosen password on the fly in enough time to return a response to the user. Some of these systems are running pretty minimal hardware. There is trade-space here that can be explored which is size-of-dictionary versus computation-time but what is the inflection point where you are searching too few words? Anyway, thanks for the feedback. - -Jim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFCY/6QVtbq2E0xxN0RAulUAJ9xQKdpm0NxDetUpS1Fb1cp7UHNfQCgg0jR mrYH8RTpknU7aBWXdKCDuS0= =ahVn -----END PGP SIGNATURE-----
Current thread:
- suggesting passwds to users James Barkley (Apr 18)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users robert (Apr 21)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- <Possible follow-ups>
- RE: suggesting passwds to users Matt Fisher (Apr 20)
- Re: suggesting passwds to users hggdh (Apr 21)
- RE: suggesting passwds to users Scovetta, Michael V (Apr 21)
- RE: suggesting passwds to users maburns (Apr 21)