Re: Are PassPhrases Secure Enough?
From: John M Deal (johndeal_at_necessitysoftware.com)
Date: 11/24/04
- Next message: Ram Naresh Talluri: "print issue - Application hang"
- Previous message: William Stacey [MVP]: "Re: Reverse usage of public/private RSA encryption keys for licensing?"
- In reply to: clintonG: "Are PassPhrases Secure Enough?"
- Next in thread: clintonG: "Re: Are PassPhrases Secure Enough?"
- Reply: clintonG: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Nov 2004 10:34:50 -0800
The thing about pass phrases that I've always disliked from a security
point of view is that many people can know the answer to a question but
I should be the only one that knows the password. For example, my
sister, father, mother, step father, best friend, financial adviser, and
a whole lot more people know my father's middle name and my email
address. I don't want any of them getting to my private information and
if it isn't private enough to care if any of those people can get to it
why does it even need to be protected.
Also if you let the user pick their own pass phrase you have an even
odds (and maybe not even that good) chance that they'll pick something
worthwhile / significantly strong. I'd say make them pick a password
and use it, then if they decide to make things insecure from their end
it is their fault not yours.
Have A Better One!
John M Deal, MCP
Necessity Software
clintonG wrote:
> I've been thinking of implementing the following and seek comments pro and
> con.
>
> When registering, the user provides an e-mail address and creates a password
> phrase question such as "What is your father's middle name?" The user also
> provides the answer to the phrase he or she has created.
>
> Future attempts to log in initially request the e-mail address only. A
> callback is issued and the login form is updated to display the user's
> passphrase "What is your father's middle name?" The user provides the
> correct answer and is presumably authenticated.
>
> That is the gist of this postulation. I am seeking comments regarding how
> to harden this methodology using hashed values to salt or other comments why
> this type of methodology would not be as secure as any other currently
> implemented.
>
- Next message: Ram Naresh Talluri: "print issue - Application hang"
- Previous message: William Stacey [MVP]: "Re: Reverse usage of public/private RSA encryption keys for licensing?"
- In reply to: clintonG: "Are PassPhrases Secure Enough?"
- Next in thread: clintonG: "Re: Are PassPhrases Secure Enough?"
- Reply: clintonG: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
