Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
cthree Posted July 6, 2005 Posted July 6, 2005 Well I still don't this this will enhance security one bit. An admin who uses a password like "dog" is begging (pardon the pun) for a beating. Anyone who doesn't run their site from behind a port filtering firewall or permits public access to port 3306 is an idiot. Any employee of mine that posts confidential or sensitive information on any web site, even mine, is fired. A forum is not a secure vehicle of communications and shouldn't be treated as such by anyone. People are the weakest link in the chain and until there is some sort of Internet drivers license test always will be.
Wolfie Posted July 6, 2005 Posted July 6, 2005 I think the idea is to help encourage the visitor to pick a password that is more complex, not the admin (although any admin using a weak password like dog or even "password" really has no business running a forum).
Louis M. Posted July 6, 2005 Posted July 6, 2005 cthree said: Well I still don't this this will enhance security one bit. An admin who uses a password like "dog" is begging (pardon the pun) for a beating. Anyone who doesn't run their site from behind a port filtering firewall or permits public access to port 3306 is an idiot. Any employee of mine that posts confidential or sensitive information on any web site, even mine, is fired. A forum is not a secure vehicle of communications and shouldn't be treated as such by anyone. People are the weakest link in the chain and until there is some sort of Internet drivers license test always will be. Would an internet drivers license really affect anything at all? Regular drivers licenses don't stop people from driving like idiots do they?
cthree Posted July 7, 2005 Posted July 7, 2005 x00783 said: Would an internet drivers license really affect anything at all? Regular drivers licenses don't stop people from driving like idiots do they? No but at least they know to stop at a red light. More internet users don't even know that much. I'm quite sure an email attachment named dont_click_me_im_a_virus.exe would be opened by more than a few people. It doesn't matter really, it was a joke. The point I'm making is that a door with one lock is generally more secure than one with 10 locks because people faced with locking 10 locks will probably lock none whereas someone with just one lock is more likely to use it. The best security system is only as good as the idiot with the keys and people being the lazy creatures we are more apt to do what's easy and avoid what's hard. Discussing the effectiveness of any security measure in the absence of humanity is wishful thinking. Like the post above said, most cracks of government computer systems were because of crappy passwords, the exact same MHALL type BS passwords in use in every IT department at every major company. IMHO the key is to appeal to our relentless desire to get something for nothing. Make it as simple as possible and obtain at least a minimal level of security rather than make it complex and face the inevitable human reaction of wedging the door open because I keep losing the keys syndrome. This is a very complex problem that we've been struggling with since long before computers were even a dream. There is a tool for every job and wasting development horsepower on this type of project has no merit IMHO. Login cookies, passwords sent in the clear, sorry but all of the windows are wide open so locking those 10 deadbolts up tight isn't going to help.
Wolfie Posted July 7, 2005 Posted July 7, 2005 I partially agree with your comments. We humans are creatures of laziness. However, someone who would use the single lock is still likely to use at least one lock if there are 10 there. I'm for this idea, but with some reservations. For example, who's to say what makes a password strong or weak? A password that I think up and think "oh gosh that's not a strong password at all but I can't think of anything else", a hacker might come along and say, "geez, that's a heck of a password they're using, I just can't figure it out". As well as the opposite (I could think its strong and 2 minutes later, it's hacked). The reason that I'm for it is that it'll make someone more aware of the purpose of the password and the amount of protection they have based on programmed experience. But reluctant because, as I said, it's hard to determine what is or isn't a good password.
Rοb Posted July 7, 2005 Posted July 7, 2005 Im very suprised that this sggestion has turned out into a debate! It would take 10 minutes for Matt to implement, it helps users make better (more secure) choices regarding their passwords and it also looks funky. I could understand there being downsides if it had to start being linked to a database or something, but it doesn't. Im sure Microsoft have their reasons for its addition to their mail service, perhaps the doubters should ask them why they think its worthwhile :P
Wolfie Posted July 7, 2005 Posted July 7, 2005 How would he code it? I don't mean the actual php code really, I mean, the logic for determining what is and is not a strong password. Have at least 1 uppercase letter? Yes Have at least 1 lowercase letter? Yes Have at least 1 number? Yes At least 6 letters long? Yes Must be a strong password right? "Alpha1" passes all of those but it's a very weak password. So what would you have it check for to make sure it's a strong password and to give it's opinion on it's strength?
Rοb Posted July 7, 2005 Posted July 7, 2005 -Strider- said: It isnt really that complicated, all it does is check for letters/numbers/symbols, if your pass contains all 3 then its high, only 2 it gets medium, only one it gets weak Thats how it works ^^ If a password is 6 characters or longer and contains the above it will be secure :)
Rοb Posted July 7, 2005 Posted July 7, 2005 Dacity2 said: How would he code it? I don't mean the actual php code really, I mean, the logic for determining what is and is not a strong password. Have at least 1 uppercase letter? Yes Have at least 1 lowercase letter? Yes Have at least 1 number? Yes At least 6 letters long? Yes Must be a strong password right? "Alpha1" passes all of those but it's a very weak password. So what would you have it check for to make sure it's a strong password and to give it's opinion on it's strength? Dacity2 said: Untrue, as I have already shown. You overlooked the symbols part. Start adding symbols to the equation and i can guarrantee the password will be strong :)
Guest Posted July 7, 2005 Posted July 7, 2005 sounds good. I like how they have a random image rotator and pay sound instead of just typing the characters by viewing it. Very inspirational ideas for software.
Wolfie Posted July 7, 2005 Posted July 7, 2005 oasiz said: You overlooked the [i]symbols[/i] part. Start adding symbols to the equation and i can guarrantee the password will be strong :) "Beta=2" Weak password. At least 6 characters, 1 uppercase, 1 lowercase, 1 number and 1 symbol. Nope, must be more than just size and the using of different groups.
Rοb Posted July 7, 2005 Posted July 7, 2005 Are you telling me that if someone used the password "Beta=2" then it would be weak? It would take a bot a LONG time to crack it and a human would have no chance. The only way to make a password virtually foolproof would be to make sure it doesn't include any words found in the dictionary. Heres a good article...http://www.microsoft.com/athome/security/p...y/password.mspx Anyway back on topic...
Wolfie Posted July 7, 2005 Posted July 7, 2005 It would be weak for the reason of it having a word in it. But following that simple set of rules wouldn't detect that. It'd have to be more complex to determine password strength, and that's *with* using a dictionary to do comparisons. Without would be even more difficult because what seems like random letters to the computer may be words to us. The computer and the language can only deduce the way it was designed. So whatever rule you make for the password, remember, it's no smarter than that rule. That's the point I was trying to make. I'm sure that if Matt wanted to, he could easily write something to determine password strength, and do an excellant job at it too. The point is that it would take more than a mere 10 minutes to do it.
Aaron Posted July 18, 2005 Posted July 18, 2005 just wanted to bump this back up to see if I could get come feedback from Matt on this o:)
Justin125 Posted July 22, 2005 Posted July 22, 2005 +500 Great idea! My members are having a hard time with passwords.
tigerbalm Posted July 22, 2005 Posted July 22, 2005 +1000 (w00t) If your the Devils Advocate- turn it off in the ACP!monster suggestion - :ninja: I've seen this suggested before and even threw it in myself on occassion. Really can't see what the problem is so I'm assuming staff missed it. Would an ACP disable option not please all including dissenters?
.Nuke Posted July 25, 2005 Posted July 25, 2005 Aaron said: just wanted to bump this back up to see if I could get come feedback from Matt on this o:) Bump, im on lets get some feedback from Matt...
Rοb Posted July 27, 2005 Posted July 27, 2005 Quote Passwords must be between 3 and 32 characters long While we are it, that should be changed to at least a 6 character minimum as standard. 3 is a joke.
Wolfie Posted July 27, 2005 Posted July 27, 2005 Should be Admin settable to min (with a forced min of 3, so that the Admin can't go below that limit)
Alaswad Posted August 6, 2005 Posted August 6, 2005 Andrew said: Great suggestion :thumbsup: Agree :)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.