| |
In lugnet.people, Todd Lehman writes:
>
> Cooking hacking is the logical place for crackers to focus since it's easy
> to make the HTTP logs look less un-normal than ten thousand hits all on the
> same URL.
>
> BTW, what is cookie/ip pair?
The BrickShelf uses the cookie returned *and* the ip address that the cookie
was issued to for reauthenticate login. Nobody has complained about loosing
login yet via multiple proxies (i.e. aol). Also, cookies can be made
*much* more difficult than typical passwords (BrickShelf uses 64 bytes).
>
> > but successful user/pw login should be delayed exactly the same as user/pw
> > failiure.
>
> Why delay successful logins? I thought the only thing that's important is
> that the failures take the same amount of time (or a random amount of time).
> If two failures take a different amount of time proportional to something like
> the matching portion (some old systems long ago did this) people can exploit
> that, but what could be exploited by not delaying on a successful attempt?
> You can't not give some sort of positive feedback to the user upon success.
If successful login takes 10ms, and failiures delay by 2 seconds, I know
if I don't receive a response within 100ms I can try again.
>
> > If you really wanted to be slick, drop successful and unsuccessful
> > logins into the homepage with no indication of login status. Give • successful
> > and unsuccessful logins similar cookies. Of course that would impact
> > the user experience so you wouldn't do that :)
>
> That would bad for users, ya.
>
> --Todd
So is not being able to set a pasword they can remember no?
I think we agree in what makes a password stronger or weaker.
My recommendation is to choose the right balance between convenience
and security. If no one is hacking accounts and many users are complaining
about the password filter, then you might want to adjust the filter settings.
My guess is that many more people will explore and use the more advanced
LUGNET features if you do that. I'd like to see more people rate sets,
list inventories and create web pages on LUGNET. I'm almost certain this
password thing is affecting that. Although I have to admit the set
inventory was so cool I actual dug the LUGNET membership card out of the
closet (no minor task) just so I could log in and try it out.
Hmm, this gives me an idea for the next poll...
KL
|
|
Message has 3 Replies:
Message is in Reply To:
113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
