WebApp Sec mailing list archives
RE: suggesting passwds to users
From: "Sohl, Greg" <Greg.Sohl () Fiserv com>
Date: Wed, 20 Apr 2005 14:55:52 -0500
This came from http://www.nipc.gov/publications/nipcpub/password.htm, which no longer seems to be available: Remembering long passwords can be difficult, but there are some basic techniques users can employ to lessen the pain. First, choose a phrase that you will remember. As an example, we will use the phrase "The pearl in the river." You can then take a number that you are familiar with, such as a birthday. For this example we will use 7/4/01. Next, you can take the first letter of your phrase and interlace it with the chosen date to make something similar to t7p4i0t1r. This method creates a password that won't be found in any dictionary and is unique to the person who created it. It is important to remember though, that any password can be guessed if given enough time. Therefore, it is important to change your password within the amount of time it would take an attacker to guess it. For example, with the previous password it may take an attacker 60 days on a very fast computer to guess what it is. In order to ensure your systems safety then, a user must change their password before those 60 days come to an end. Greg -----Original Message----- From: Kelly John Rose [mailto:mllists () ptbcanadian net] Sent: Wednesday, April 20, 2005 8:45 AM To: James Barkley Cc: webappsec () securityfocus com Subject: Re: suggesting passwds to users The problem I see with this is that if the users are not going to use cryptographically strong passwords in the first place, what would make you believe that they will use one of the randomly generated passwords. The big problem that exists with those passwords is that end users (in my experience) do not like those type of passwords, and will just come up with their own favourites. As well, if you provide suggested passwords, there is more potential for abuse if someone gains access to that code, or is able to watch the "suggested" passwords. But, I think most importantly, if users are not going to use secure passwords in the first place, they are not going to use these suggested passwords either. .....Kelly John Rose..... James Barkley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A user authenticates with a username/passwd and you not only give the user the option to change his/her password any time they want but also make it mandatory that they change their password at least once every so often (e.g. 6 months). You know that users are not good at choosing good passwords, but you happen to have a good application module for generating random strong passwords. So, when the user is at the change password page and about to type in "Mets4Ever" as their new password, why not give them a list of 10 or so cryptographically strong, randomly generated passwords as suggestions for them. Assuming you are using https, then this seems like reasonable security... or am I missing something? - -Jim Barkley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt zPNrsUoEcHrAlvIqbunriPM= =EYEs -----END PGP SIGNATURE-----
Current thread:
- Re: suggesting passwds to users, (continued)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- RE: suggesting passwds to users Matt Fisher (Apr 20)
- Re: suggesting passwds to users hggdh (Apr 21)
- RE: suggesting passwds to users Scovetta, Michael V (Apr 21)
- RE: suggesting passwds to users maburns (Apr 21)
- RE: suggesting passwds to users Sohl, Greg (Apr 21)
- SV: suggesting passwds to users Fredrik Hesse (Apr 21)
- RE: suggesting passwds to users Westman, Brad (Apr 21)