WebApp Sec mailing list archives
RE: suggesting passwds to users
From: maburns () safenet-inc com
Date: Wed, 20 Apr 2005 11:50:29 -0700
The best answer is two-factor authentication such as a USB ikey token which is technically identical to a ATM card. It carries the identity of the user and the shared secret for authentication is programmed onto the key and encrypted. It is much more secure then username and passwords and is actually easier to use since the only thing the user needs to remember is their pin number. Two-factor authentication means 1) something you have (Key token) with something only you know (pin) so it does not matter if either is lost or stolen since you need both (hence two-factor) to get access, again the same as your ATM card. People are familiar with ATM cards so the education issue is simple and again a two-factor token is more secure then complicated passwords that a user will write down which defeats the security....right???? Mary Ann Burns -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Monday, April 18, 2005 12:56 PM To: James Barkley Cc: webappsec () securityfocus com Subject: Re: suggesting passwds to users
I suppose you could generate word-form passwords such as g@L@xi3$ (galaxies) to try and manage the user. You have to compare the threats: is it more of a threat for a user to write down their password or to use the same password they have on 50 other web sites. I'm not sure what the answer is here....
Yup the answer will depend on your application, and the env you users are working in.
No offense, but DUH! Isn't it impossible for a computer to generate a truly random number without user interaction (such as random mouse movements to generate entropy, as gnupg asks the user to do when generating pub/priv keypairs)? Nevertheless, as your pseudo-randomness tends toward zero you will hit a point that is statistically acceptable. Like when scientists agree that 1x10^-200 chance of occurence can reasonably be considered impossible.
I m not going to comment on this :)
This is a not a bad idea, but I'm not sure my server can handle doing a dictionary/bruteforce attack on a user chosen password on the fly in enough time to return a response to the user. Some of these systems
You don't have to do it on-the-fly. You can run a CRON job on a nightly basis to do thorough verification of the password complexity. And prompt the user to change when they log in next time. -- In Peace, Saqib Ali http://validate.sf.net
Current thread:
- Re: suggesting passwds to users, (continued)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- RE: suggesting passwds to users Matt Fisher (Apr 20)
- Re: suggesting passwds to users hggdh (Apr 21)
- RE: suggesting passwds to users Scovetta, Michael V (Apr 21)
- RE: suggesting passwds to users maburns (Apr 21)
- RE: suggesting passwds to users Sohl, Greg (Apr 21)
- SV: suggesting passwds to users Fredrik Hesse (Apr 21)
- RE: suggesting passwds to users Westman, Brad (Apr 21)