Are PassPhrases Secure Enough?
From: clintonG (csgallagher_at_REMOVETHISTEXTmetromilwaukee.com)
Date: 11/24/04
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Planning active directory integration"
- Next in thread: John M Deal: "Re: Are PassPhrases Secure Enough?"
- Reply: John M Deal: "Re: Are PassPhrases Secure Enough?"
- Reply: Valery Pryamikov: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Nov 2004 10:43:25 -0600
I've been thinking of implementing the following and seek comments pro and
con.
When registering, the user provides an e-mail address and creates a password
phrase question such as "What is your father's middle name?" The user also
provides the answer to the phrase he or she has created.
Future attempts to log in initially request the e-mail address only. A
callback is issued and the login form is updated to display the user's
passphrase "What is your father's middle name?" The user provides the
correct answer and is presumably authenticated.
That is the gist of this postulation. I am seeking comments regarding how
to harden this methodology using hashed values to salt or other comments why
this type of methodology would not be as secure as any other currently
implemented.
--
<%= Clinton Gallagher, "Twice the Results -- Half the Cost"
Architectural & e-Business Consulting -- Software Development
NET csgallagher@REMOVETHISTEXTmetromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Planning active directory integration"
- Next in thread: John M Deal: "Re: Are PassPhrases Secure Enough?"
- Reply: John M Deal: "Re: Are PassPhrases Secure Enough?"
- Reply: Valery Pryamikov: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
