|
WebApp Sec
mailing list archives
suggesting passwds to users
From: James Barkley <James.Barkley () noaa gov>
Date: Fri, 15 Apr 2005 03:19:38 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A user authenticates with a username/passwd and you not only give the
user the option to change his/her password any time they want but also
make it mandatory that they change their password at least once every
so often (e.g. 6 months). You know that users are not good at
choosing good passwords, but you happen to have a good application
module for generating random strong passwords. So, when the user is
at the change password page and about to type in "Mets4Ever" as their
new password, why not give them a list of 10 or so cryptographically
strong, randomly generated passwords as suggestions for them.
Assuming you are using https, then this seems like reasonable
security... or am I missing something?
- -Jim Barkley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt
zPNrsUoEcHrAlvIqbunriPM=
=EYEs
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
- suggesting passwds to users James Barkley (Apr 18)
|
Intro
