WebApp Sec mailing list archives
RE: suggesting passwds to users
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Wed, 20 Apr 2005 13:55:16 -0400
Matt-- I think even the "bad" random generators are still pretty random, and the flaws only show up in a slightly statistical "blip" after thousands to millions of numbers are generated. I'm reading a great book called "Malicious Cryptovirology" by Young and Yung (http://www.amazon.com/exec/obidos/tg/detail/-/0764549758/102-7275077-50 83323?v=glance) which talks a great deal about random number generation-- I'd highly suggest it to anyone looking to learn about random number generation. Michael Scovetta Computer Associates Senior Application Developer -----Original Message----- From: Matt Fisher [mailto:mfisher () spidynamics com] Sent: Tuesday, April 19, 2005 10:22 PM To: James Barkley; webappsec () securityfocus com Subject: RE: suggesting passwds to users The first thing I think of in this scenario is what "random" means. I don't know that much about rand generators, but I do know that some have been flawed, and presented not-so-random numbers.
-----Original Message----- From: James Barkley [mailto:James.Barkley () noaa gov] Sent: Friday, April 15, 2005 3:20 AM To: webappsec () securityfocus com Subject: suggesting passwds to users -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A user authenticates with a username/passwd and you not only give the user the option to change his/her password any time they want but also make it mandatory that they change their password at least once every so often (e.g. 6 months). You know that users are not good at choosing good passwords, but you happen to have a good application module for generating random strong passwords. So, when the user is at the change password page and about to type in "Mets4Ever" as their new password, why not give them a list of 10 or so cryptographically strong, randomly generated passwords as suggestions for them. Assuming you are using https, then this seems like reasonable security... or am I missing something? - -Jim Barkley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt zPNrsUoEcHrAlvIqbunriPM= =EYEs -----END PGP SIGNATURE-----
Current thread:
- Re: suggesting passwds to users, (continued)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- RE: suggesting passwds to users Matt Fisher (Apr 20)
- Re: suggesting passwds to users hggdh (Apr 21)
- RE: suggesting passwds to users Scovetta, Michael V (Apr 21)
- RE: suggesting passwds to users maburns (Apr 21)
- RE: suggesting passwds to users Sohl, Greg (Apr 21)
- SV: suggesting passwds to users Fredrik Hesse (Apr 21)
- RE: suggesting passwds to users Westman, Brad (Apr 21)