WebApp Sec mailing list archives
Re: suggesting passwds to users
From: Mark Owen <mr.markowen () gmail com>
Date: Mon, 18 Apr 2005 15:12:17 -0400
So, when the user is at the change password page and about to type in "Mets4Ever" as their new password, why not give them a list of 10 or so cryptographically strong, randomly generated passwords as suggestions for them.
Given a list of randomly generated or the option of entering a convienant to remember password, I believe the end user will always pick their own. Those who will pick one from your list will surely write it down to remember later. I believe the best option for security in this example is to enforce strict password policies (mix upper, lower, numeric, and special characters with at least 8 in total) and prevent the end user to write it down. I generally advise users to use something similar of M3ts~4~Ev3r! to remember a complex password easier. I would personaly try to stay away from giving them the option to choose a predefined password due to its difficulty in recalling. Another option is to use 2-form authentication. Mets4Ever and a token would be an ideal solution. -- Mark Owen
Current thread:
- suggesting passwds to users James Barkley (Apr 18)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users robert (Apr 21)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- <Possible follow-ups>
- RE: suggesting passwds to users Matt Fisher (Apr 20)