|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: suggesting passwds to users
From: Saqib Ali (docbook.xml
gmail.com)
Date: Mon Apr 18 2005 - 14:55:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I suppose you could generate word-form passwords such as gLxi3$
> (galaxies) to try and manage the user. You have to compare the
> threats: is it more of a threat for a user to write down their
> password or to use the same password they have on 50 other web sites.
> I'm not sure what the answer is here....
Yup the answer will depend on your application, and the env you users
are working in.
> No offense, but DUH! Isn't it impossible for a computer to generate a
> truly random number without user interaction (such as random mouse
> movements to generate entropy, as gnupg asks the user to do when
> generating pub/priv keypairs)? Nevertheless, as your
> pseudo-randomness tends toward zero you will hit a point that is
> statistically acceptable. Like when scientists agree that 1x10^-200
> chance of occurence can reasonably be considered impossible.
I m not going to comment on this :)
> This is a not a bad idea, but I'm not sure my server can handle doing
> a dictionary/bruteforce attack on a user chosen password on the fly in
> enough time to return a response to the user. Some of these systems
You don't have to do it on-the-fly. You can run a CRON job on a
nightly basis to do thorough verification of the password complexity.
And prompt the user to change when they log in next time.
--
In Peace,
Saqib Ali
http://validate.sf.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]