SV: suggesting passwds to users

[Fredrik Hesse <fredrik.hesse () nexus se>]

I suggest y'all have a look at the FIPS-181 standard
http://www.itl.nist.gov/fipspubs/fip181.htm
It's an algorithm for generating random _pronounceable_ passwords,
sort of the best of two worlds...
Download and read the standard, if I'm not totally off, it even
has a sample implementation by none other than Mr. Schneier.

Regards
Fredr!k
 

-----Ursprungligt meddelande-----
Från: Michael Silk
Till: James Barkley
Kopia: webappsec () securityfocus com
Skickat: 2005-04-19 02:39
Ämne: Re: suggesting passwds to users

Sure, they'll be strong passwords, but the users won't be able to
remember them. You could also bugger up the 'randomization' of your
passwords.

Better to allow them to create their own passwords and make sure they
are 'strong'.

-- Michael

On 4/15/05, James Barkley <James.Barkley () noaa gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A user authenticates with a username/passwd and you not only give the
> user the option to change his/her password any time they want but also
> make it mandatory that they change their password at least once every
> so often (e.g. 6 months).  You know that users are not good at
> choosing good passwords, but you happen to have a good application
> module for generating random strong passwords.  So, when the user is
> at the change password page and about to type in "Mets4Ever" as their
> new password, why not give them a list of 10 or so cryptographically
> strong, randomly generated passwords as suggestions for them.
> Assuming you are using https, then this seems like reasonable
> security... or am I missing something?
>
> - -Jim Barkley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
>
> iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt
> zPNrsUoEcHrAlvIqbunriPM=
> =EYEs
> -----END PGP SIGNATURE-----