Subject:
|
Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Mon, 24 Apr 2000 18:26:56 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
3549 times
|
| |
| |
In lugnet.admin.general, John Matthews writes:
> [...]
> This is becoming *way* too complicated. Let me have my newsreader access
> without making me feel like I am left out because I choose not to use the
> web interface.
> Sorry for trouncing your web playground Todd, but that is how I see it.
Thanks for your insightful and thoughtful comments, John!
It's really not as complicated as it may seem. There is a simple pw tester,
it does a reasonable job of identifying weaknesses in pw's, and it outputs a
number in a range. It fails anything below a given threshold on its scale.
Every site that allows people to choose their own password has _some_ kind of
validator attached to it. Usually it's something pretty simple like requiring
four or more characters or a mixture of letters, numbers, etc. Some of the
better ones also include dictionary checks.
From my POV, it's not a matter of whether or not to validate pw's with exactly
this sort of thing in combination with dictionary lookups and a couple other
checks, but simply a matter of where to set the threshold for pass vs. fail.
The magic number (whatever it is) has simply to be chosen high enough to be
safe for users and safe for LUGNET, yet low enough to be acceptable from a
human factors perspective. From recent feedback here, it seems that the
threshold may be higher than it should be. (That's OK; it can be adjusted
lower if needed.)
How best to proceed? Let's not talk about whether or not it's a good idea to
use a strict validator. Let's talk about what the validator's threshold could
safely be lowered to.
http://www.lugnet.com/people/members/pwsa/
There are two thresholds in need of being chosen:
1. The threshold above which pw's are considered "strong" (from a statistical
perspective) and passed without protest.
2. The threshold above which pw's are considered "strong enough" (from a
human factors perspective) and passed with protest (i.e., a warning)
and below which pw's are considered "too weak" for comfort and rejected
flat-out.
Maybe #1 ends up staying at 100%, or maybe it lowers to 50%. And maybe #2
needs to be set to 50%, or -25%, or maybe even -300%. The scale can be
adjusted.
If a consensus on what #2 should be cannot be reached, then the last resort
would be to go with a weaker form of strict validation -- something workable
but more importantly something that typical users are used to living with
(like, for example, being at least N characters long and having at least one
uppercase letter and one digit and one non-alphanumeric).
I'd love to hear more opinions from people who consider themselves typical
computer users -- this kind of input (like what John gave) is very helpful.
--Todd
p.s. Multi-Layer passwords (for multi-tiered logins) is just an idea -- not
something on the slate. Don't worry about that being too complicated because,
if it ever would be useful to add, it would only be something purely optional.
It's not part of the present discussion.
|
|
Message is in Reply To:
309 Messages in This Thread: (Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|