Re: Are PassPhrases Secure Enough?
From: clintonG (csgallagher_at_REMOVETHISTEXTmetromilwaukee.com)
Date: 11/24/04
- Next message: HelpNeeded: "Re: MSDE does not work in Terminal Services: REQUIRES ALL USERS TO BE ADMINISTRATORS!!!!!"
- Previous message: clintonG: "Re: Are PassPhrases Secure Enough?"
- In reply to: John M Deal: "Re: Are PassPhrases Secure Enough?"
- Next in thread: Valery Pryamikov: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Nov 2004 14:54:41 -0600
Common sense ruins another day ;-)
<%= Clinton Gallagher
"John M Deal" <johndeal@necessitysoftware.com> wrote in message
news:OM$7IRl0EHA.2540@TK2MSFTNGP09.phx.gbl...
> The thing about pass phrases that I've always disliked from a security
> point of view is that many people can know the answer to a question but
> I should be the only one that knows the password. For example, my
> sister, father, mother, step father, best friend, financial adviser, and
> a whole lot more people know my father's middle name and my email
> address. I don't want any of them getting to my private information and
> if it isn't private enough to care if any of those people can get to it
> why does it even need to be protected.
>
> Also if you let the user pick their own pass phrase you have an even
> odds (and maybe not even that good) chance that they'll pick something
> worthwhile / significantly strong. I'd say make them pick a password
> and use it, then if they decide to make things insecure from their end
> it is their fault not yours.
>
> Have A Better One!
>
> John M Deal, MCP
> Necessity Software
>
> clintonG wrote:
> > I've been thinking of implementing the following and seek comments pro
and
> > con.
> >
> > When registering, the user provides an e-mail address and creates a
password
> > phrase question such as "What is your father's middle name?" The user
also
> > provides the answer to the phrase he or she has created.
> >
> > Future attempts to log in initially request the e-mail address only. A
> > callback is issued and the login form is updated to display the user's
> > passphrase "What is your father's middle name?" The user provides the
> > correct answer and is presumably authenticated.
> >
> > That is the gist of this postulation. I am seeking comments regarding
how
> > to harden this methodology using hashed values to salt or other comments
why
> > this type of methodology would not be as secure as any other currently
> > implemented.
> >
- Next message: HelpNeeded: "Re: MSDE does not work in Terminal Services: REQUIRES ALL USERS TO BE ADMINISTRATORS!!!!!"
- Previous message: clintonG: "Re: Are PassPhrases Secure Enough?"
- In reply to: John M Deal: "Re: Are PassPhrases Secure Enough?"
- Next in thread: Valery Pryamikov: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
