| | Re: LUGNET Memberships Todd Lehman
|
| | (...) Is there a way to tell if a given IP address is a shared proxy server or not? If you disable login access as one user from a given IP address, then you effectively disable login access as _all_ users from that IP address, because it would be (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | |
| | | | Re: LUGNET Memberships Kevin Loch
|
| | | | (...) Um, yes I know that. It's also possible to generate "human random" dictionaries that speed up brute force of "strong" passwords where users are forced within certain limits. BTW, I wonder what the keyspace is of all (8 chars and less as (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | (...) (URL) [...] On the other hand, a server could probably get around that by (...) I'm very tempted to head in that direction. Even not relaxing the strictness of the validator, I think it would be wise. (...) Cooking hacking is the logical place (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: Password checks (was: Re: LUGNET Memberships) Kevin Loch
|
| | | | (...) The BrickShelf uses the cookie returned *and* the ip address that the cookie was issued to for reauthenticate login. Nobody has complained about loosing login yet via multiple proxies (i.e. aol). Also, cookies can be made *much* more difficult (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: Password checks (was: Re: LUGNET Memberships) Larry Pieniazek
|
| | | | | (...) As is mine. Todd has one opinion of where that is. Some people think it is too strict. Some are happy. I wonder if any think it is too lenient? (...) I know it is affecting me. Todd sent me a new password and I set two more that hopefully I (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | (...) I didn't plan for that. In the beginning, I honestly didn't think that anyone would ever forget their password (or at least not have it written down somewhere that they could find it). I'll have to come up with something. Since the pw's are (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Larry Pieniazek
|
| | | | | | | (...) No that would work, I wrote down the password you sent me and the two new ones I chose and they are pretty memorable, I hope. Implement something that generates a new password AND wipes out ALL the old ones in one fell swoop. Then send me the (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Frank Filz
|
| | | | | | | | (...) A solution to this could be to do the following: - when someone asks for a password reset, create a new password for them, put it in the list, also put it in a special "reset account" password file (along with the ID). - when the user receives (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | |
| | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Steve Bliss
|
| | | | | | (...) Huh? Todd, I hope you meant to write, "I didn't think about dealing with people forgetting their passwords". People forget passwords *all* *the* *time*. That's why so many sites have such ridiculously unsecure password requirements -- so (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | (...) No, I meant exactly that: I didn't think that anyone would ever (a) forget their password or (b) not be able to just go look it up. When you put it in a cookie, you don't even have to remember it beyond that, unless you move to different (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | (...) But doesn't that make somebody have to log in again if they use *any* kind of non-static-IP connection -- i.e., a typical dial-up or DHCP connection -- and not limited only to shared proxy servers? If they're on a typical ISP dial-up PPP (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | (...) I agree! In a cookie, you can put complete random garbage that only the authentication server knows how to interpret. And if certain bits contain an index, you can even use a one-time pad or other complex mapping to encrypt the data so that (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |