To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 6431
6430  |  6432
Subject: 
 Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
Newsgroups: 
 lugnet.admin.general
Date: 
 Sun, 23 Apr 2000 19:33:28 GMT
Viewed: 
 3299 times
  
In lugnet.admin.general, Todd Lehman writes:

The point is that there are plenty of other pw's that people could come up
with which aren't dangerous, but which are sufficiently random and perfectly
memorable.

Maybe I'm just miffed because it failed *all* of the passwords I use? :) If I
did anything that even remotely required great security that would be a problem
I guess!


IMHO it is reasonable to impose a minimum limit of characters, impose an
alpha-numeric mix, maybe even make sure that it isn't just one word known
to a dictionary mixed with one number. But much more than that seems too
restrictive.

:) you and I both know that you're an extremely intelligent adult who has
thought about these things and wouldn't pick something particularly risky

*mumble*mumble* Look over there - a MISB Galaxy Explorer!


What of a 10-year-old kid (not that there's anything wrong
with being a 10yo)?  Just because someone is a 10yo, should they should be
given a break and allowed to pick a risky pw like "lego4me"?

It's not just children - there are lots of adults out there with even mild
learning difficulties that might find it hard to remember more randomised
passwords.


On the flipside, if someone chooses a weak password and never writes it down
and never tells it to anyone, but then someone halfway around the globe who
has never met them suddenly guesses it through trial and error or a brute-
force attack, the blame lies entirely with the system and not with the user.

Just out of curiousity - would LUGNET allow brute-force or trial and error
attacks? Something like sending an email warning after 3 fails, then locking
the account for 24 hours after 5 fails would somewhat negate the danger of
those types of attacks?



Message has 2 Replies:
  Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
 
(...) Me too. I mean, I'm not miffed (I have *much* better things to get miffed about) but it did fail, without exception, every password I have ever used. (...) I do. And the things I apply them to have checks for weak passwds. I suspect that they (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
  Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
 
(...) Are there any that it gave between 0% and 100% to? (i.e., not < 0% ?) (...) Eeek -- no! -- locking people out on a failed login attempt would certainly negate the danger of a brute-force of attack, but it would make an entirely new type of (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)

Message is in Reply To:
  Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
 
(...) It's perfectly content to "pass" most 6- to 8- character pw's constructed by the first letter of successive words, especially if the pw includes a digit, a capital letter, or a special character. Those types of things tend to be "random" from (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)  

309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR