Re: suggesting passwds to users

[Michael Silk <michaelslists () gmail com>]

Sure, they'll be strong passwords, but the users won't be able to
remember them. You could also bugger up the 'randomization' of your
passwords.

Better to allow them to create their own passwords and make sure they
are 'strong'.

-- Michael

On 4/15/05, James Barkley <James.Barkley () noaa gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A user authenticates with a username/passwd and you not only give the
> user the option to change his/her password any time they want but also
> make it mandatory that they change their password at least once every
> so often (e.g. 6 months).  You know that users are not good at
> choosing good passwords, but you happen to have a good application
> module for generating random strong passwords.  So, when the user is
> at the change password page and about to type in "Mets4Ever" as their
> new password, why not give them a list of 10 or so cryptographically
> strong, randomly generated passwords as suggestions for them.
> Assuming you are using https, then this seems like reasonable
> security... or am I missing something?
>
> - -Jim Barkley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
>
> iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt
> zPNrsUoEcHrAlvIqbunriPM=
> =EYEs
> -----END PGP SIGNATURE-----