WebApp Sec mailing list archives
Re: suggesting passwds to users
From: Saqib Ali <docbook.xml () gmail com>
Date: Mon, 18 Apr 2005 10:23:54 -0700
1) Shoulder surfing might be problem for this type of solution, since you will need to display the password on the screen for the user to choose one. 2) In my experience, if the password is randomly generated bunch of letters, it becomes hard for the user to remember, and they tend to write them down on a piece of paper and paste on the bottom of the keyboard. :-( 3) Your system will NOT generate "random" password, instead it will generate "PSUEDO-RANDOM" passwords. this process can can be duplicated by an attacker to generate a list of all possible passwords, and use it in a dictionary attack. An easier and better approach is to let the user choose their own password, and then run a dictionary/bruteforce attack on the password file to make sure they are strong password. If they are not, prompt the user to change them. -- In Peace, Saqib Ali http://validate.sf.net
Current thread:
- suggesting passwds to users James Barkley (Apr 18)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users robert (Apr 21)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Saqib Ali (Apr 20)
- Re: suggesting passwds to users SecurityFocus (Apr 21)
- Re: suggesting passwds to users James Barkley (Apr 20)
- Re: suggesting passwds to users Mark Owen (Apr 20)
- Re: suggesting passwds to users Kelly John Rose (Apr 20)
- Re: suggesting passwds to users Robert Hajime Lanning (Apr 20)
- Re: suggesting passwds to users Michael Silk (Apr 20)
- Re: suggesting passwds to users Martin Sarsale (Apr 20)
- <Possible follow-ups>
- RE: suggesting passwds to users Matt Fisher (Apr 20)
- Re: suggesting passwds to users hggdh (Apr 21)
- RE: suggesting passwds to users Scovetta, Michael V (Apr 21)