WebApp Sec mailing list archives
Re: random character checking at logon
From: Tim <tim-security () sentinelchicken org>
Date: Wed, 20 Apr 2005 18:58:01 -0400
We have a policy for internet based login that passwords shouldn't be entered in full. Random characters from the password are prompted for- e.g. 2nd, 3rd, last.
^^^^^ I think your problem lies in this. ^^^^^ How many random digits are required each time? Especially on the web, it sounds like this is just asking for an online brute-force attack, unless it is implemented *very* carefully. Even then, it still sounds like a bad idea. tim
Current thread:
- random character checking at logon jimtames (Apr 20)
- Re: random character checking at logon Tim (Apr 21)
- Re: random character checking at logon Amit Klein (AKsecurity) (Apr 21)