To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 7784
7783  |  7785
Subject: 
Re: Password checks (was: Re: LUGNET Memberships)
Newsgroups: 
lugnet.people, lugnet.admin.general
Date: 
Mon, 25 Sep 2000 23:46:29 GMT
Viewed: 
47 times
  
In lugnet.people, Todd Lehman writes:

Cooking hacking is the logical place for crackers to focus since it's easy
to make the HTTP logs look less un-normal than ten thousand hits all on the
same URL.

BTW, what is cookie/ip pair?

The BrickShelf uses the cookie returned *and* the ip address that the cookie
was issued to for reauthenticate login.  Nobody has complained about loosing
login yet via multiple proxies (i.e. aol).  Also, cookies can be made
*much* more difficult than typical passwords (BrickShelf uses 64 bytes).


but successful user/pw login should be delayed exactly the same as user/pw
failiure.

Why delay successful logins?  I thought the only thing that's important is
that the failures take the same amount of time (or a random amount of time).
If two failures take a different amount of time proportional to something like
the matching portion (some old systems long ago did this) people can exploit
that, but what could be exploited by not delaying on a successful attempt?
You can't not give some sort of positive feedback to the user upon success.

If successful login takes 10ms, and failiures delay by 2 seconds, I know
if I don't receive a response within 100ms I can try again.

If you really wanted to be slick, drop successful and unsuccessful
logins into the homepage with no indication of login status.  Give • successful
and unsuccessful logins similar cookies.  Of course that would impact
the user experience so you wouldn't do that :)

That would bad for users, ya.

--Todd
So is not being able to set a pasword they can remember no?

I think we agree in what makes a password stronger or weaker.
My recommendation is to choose the right balance between convenience
and security.  If no one is hacking accounts and many users are complaining
about the password filter, then you might want to adjust the filter settings.
My guess is that many more people will explore and use the more advanced
LUGNET features if you do that.  I'd like to see more people rate sets,
list inventories and create web pages on LUGNET.  I'm almost certain this
password thing is affecting that.  Although I have to admit the set
inventory was so cool I actual dug the LUGNET membership card out of the
closet (no minor task) just so I could log in and try it out.

Hmm, this gives me an idea for the next poll...

KL



Message has 3 Replies:
  Re: Password checks (was: Re: LUGNET Memberships)
 
(...) As is mine. Todd has one opinion of where that is. Some people think it is too strict. Some are happy. I wonder if any think it is too lenient? (...) I know it is affecting me. Todd sent me a new password and I set two more that hopefully I (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
  Re: Password checks (was: Re: LUGNET Memberships)
 
(...) But doesn't that make somebody have to log in again if they use *any* kind of non-static-IP connection -- i.e., a typical dial-up or DHCP connection -- and not limited only to shared proxy servers? If they're on a typical ISP dial-up PPP (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
  Re: Password checks (was: Re: LUGNET Memberships)
 
(...) I agree! In a cookie, you can put complete random garbage that only the authentication server knows how to interpret. And if certain bits contain an index, you can even use a one-time pad or other complex mapping to encrypt the data so that (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)

Message is in Reply To:
  Password checks (was: Re: LUGNET Memberships)
 
(...) (URL) [...] On the other hand, a server could probably get around that by (...) I'm very tempted to head in that direction. Even not relaxing the strictness of the validator, I think it would be wise. (...) Cooking hacking is the logical place (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    

Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR