WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: suggesting passwds to users

From: Robert Hajime Lanning <robert.lanning () gmail com>
Date: Mon, 18 Apr 2005 13:56:22 -0700
On 4/15/05, James Barkley <James.Barkley () noaa gov> wrote:

A user authenticates with a username/passwd and you not only give the
user the option to change his/her password any time they want but also
make it mandatory that they change their password at least once every
so often (e.g. 6 months).  You know that users are not good at
choosing good passwords, but you happen to have a good application
module for generating random strong passwords.  So, when the user is
at the change password page and about to type in "Mets4Ever" as their
new password, why not give them a list of 10 or so cryptographically
strong, randomly generated passwords as suggestions for them.
Assuming you are using https, then this seems like reasonable
security... or am I missing something?


Unless you are using a password generator that creates something
akin to pronounceable passwords, you would be telling your users
to write the password down in a handy place.

-- 
END OF LINE
       -MCP
Previous By Date Next
Previous By Thread Next

Current thread: