Jump to content

[IPB]Password Suggestion

Guest Aaron

By Guest Aaron
in Feedback

Recommended Posts

cthree Explorer

cthree

Posted
Posted

Well I still don't this this will enhance security one bit. An admin who uses a password like "dog" is begging (pardon the pun) for a beating. Anyone who doesn't run their site from behind a port filtering firewall or permits public access to port 3306 is an idiot. Any employee of mine that posts confidential or sensitive information on any web site, even mine, is fired.

A forum is not a secure vehicle of communications and shouldn't be treated as such by anyone. People are the weakest link in the chain and until there is some sort of Internet drivers license test always will be.

Link to comment
Share on other sites
Wolfie Grand Master

Wolfie

Posted
Posted

I think the idea is to help encourage the visitor to pick a password that is more complex, not the admin (although any admin using a weak password like dog or even "password" really has no business running a forum).

Link to comment
Share on other sites
Louis M. Rookie

Louis M.

Posted
Posted

Well I still don't this this will enhance security one bit. An admin who uses a password like "dog" is begging (pardon the pun) for a beating. Anyone who doesn't run their site from behind a port filtering firewall or permits public access to port 3306 is an idiot. Any employee of mine that posts confidential or sensitive information on any web site, even mine, is fired.



A forum is not a secure vehicle of communications and shouldn't be treated as such by anyone. People are the weakest link in the chain and until there is some sort of Internet drivers license test always will be.



Would an internet drivers license really affect anything at all? Regular drivers licenses don't stop people from driving like idiots do they?
Link to comment
Share on other sites
cthree Explorer

cthree

Posted
Posted

Would an internet drivers license really affect anything at all? Regular drivers licenses don't stop people from driving like idiots do they?



No but at least they know to stop at a red light. More internet users don't even know that much. I'm quite sure an email attachment named dont_click_me_im_a_virus.exe would be opened by more than a few people.

It doesn't matter really, it was a joke. The point I'm making is that a door with one lock is generally more secure than one with 10 locks because people faced with locking 10 locks will probably lock none whereas someone with just one lock is more likely to use it. The best security system is only as good as the idiot with the keys and people being the lazy creatures we are more apt to do what's easy and avoid what's hard. Discussing the effectiveness of any security measure in the absence of humanity is wishful thinking. Like the post above said, most cracks of government computer systems were because of crappy passwords, the exact same MHALL type BS passwords in use in every IT department at every major company.

IMHO the key is to appeal to our relentless desire to get something for nothing. Make it as simple as possible and obtain at least a minimal level of security rather than make it complex and face the inevitable human reaction of wedging the door open because I keep losing the keys syndrome.

This is a very complex problem that we've been struggling with since long before computers were even a dream. There is a tool for every job and wasting development horsepower on this type of project has no merit IMHO. Login cookies, passwords sent in the clear, sorry but all of the windows are wide open so locking those 10 deadbolts up tight isn't going to help.
Link to comment
Share on other sites
Wolfie Grand Master

Wolfie

Posted
Posted

I partially agree with your comments.

We humans are creatures of laziness. However, someone who would use the single lock is still likely to use at least one lock if there are 10 there.

I'm for this idea, but with some reservations. For example, who's to say what makes a password strong or weak? A password that I think up and think "oh gosh that's not a strong password at all but I can't think of anything else", a hacker might come along and say, "geez, that's a heck of a password they're using, I just can't figure it out". As well as the opposite (I could think its strong and 2 minutes later, it's hacked).

The reason that I'm for it is that it'll make someone more aware of the purpose of the password and the amount of protection they have based on programmed experience. But reluctant because, as I said, it's hard to determine what is or isn't a good password.

Link to comment
Share on other sites
Rοb Community Regular

Rοb

Posted
Posted

Im very suprised that this sggestion has turned out into a debate!

It would take 10 minutes for Matt to implement, it helps users make better (more secure) choices regarding their passwords and it also looks funky.

I could understand there being downsides if it had to start being linked to a database or something, but it doesn't.

Im sure Microsoft have their reasons for its addition to their mail service, perhaps the doubters should ask them why they think its worthwhile :P

Link to comment
Share on other sites
Wolfie Grand Master

Wolfie

Posted
Posted

How would he code it? I don't mean the actual php code really, I mean, the logic for determining what is and is not a strong password.

Have at least 1 uppercase letter? Yes
Have at least 1 lowercase letter? Yes
Have at least 1 number? Yes
At least 6 letters long? Yes

Must be a strong password right?

"Alpha1" passes all of those but it's a very weak password.

So what would you have it check for to make sure it's a strong password and to give it's opinion on it's strength?

Link to comment
Share on other sites
Rοb Community Regular

Rοb

Posted
Posted

It isnt really that complicated, all it does is check for letters/numbers/symbols, if your pass contains all 3 then its high, only 2 it gets medium, only one it gets weak



Thats how it works ^^

If a password is 6 characters or longer and contains the above it will be secure :)
Link to comment
Share on other sites
Rοb Community Regular

Rοb

Posted
Posted

How would he code it? I don't mean the actual php code really, I mean, the logic for determining what is and is not a strong password.



Have at least 1 uppercase letter? Yes


Have at least 1 lowercase letter? Yes


Have at least 1 number? Yes


At least 6 letters long? Yes



Must be a strong password right?



"Alpha1" passes all of those but it's a very weak password.



So what would you have it check for to make sure it's a strong password and to give it's opinion on it's strength?



Untrue, as I have already shown.



You overlooked the symbols part. Start adding symbols to the equation and i can guarrantee the password will be strong :)
Link to comment
Share on other sites
Guest

Guest

Posted
Posted

sounds good.
I like how they have a random image rotator and pay sound instead of just typing the characters by viewing it. Very inspirational ideas for software.

Link to comment
Share on other sites
Wolfie Grand Master

Wolfie

Posted
Posted

You overlooked the [i]symbols[/i] part. Start adding symbols to the equation and i can guarrantee the password will be strong :)


"Beta=2"

Weak password.

At least 6 characters, 1 uppercase, 1 lowercase, 1 number and 1 symbol.

Nope, must be more than just size and the using of different groups.
Link to comment
Share on other sites
Rοb Community Regular

Rοb

Posted
Posted

Are you telling me that if someone used the password "Beta=2" then it would be weak?

It would take a bot a LONG time to crack it and a human would have no chance.

The only way to make a password virtually foolproof would be to make sure it doesn't include any words found in the dictionary.

Heres a good article...

http://www.microsoft.com/athome/security/p...y/password.mspx

Anyway back on topic...

Link to comment
Share on other sites
Wolfie Grand Master

Wolfie

Posted
Posted

It would be weak for the reason of it having a word in it. But following that simple set of rules wouldn't detect that. It'd have to be more complex to determine password strength, and that's *with* using a dictionary to do comparisons. Without would be even more difficult because what seems like random letters to the computer may be words to us. The computer and the language can only deduce the way it was designed. So whatever rule you make for the password, remember, it's no smarter than that rule. That's the point I was trying to make.

I'm sure that if Matt wanted to, he could easily write something to determine password strength, and do an excellant job at it too. The point is that it would take more than a mere 10 minutes to do it.

Link to comment
Share on other sites
  • 2 weeks later...
tigerbalm Newbie

tigerbalm

Posted
Posted

+1000

(w00t)


If your the Devils Advocate- turn it off in the ACP!

monster suggestion - :ninja:

I've seen this suggested before and even threw it in myself on occassion. Really can't see what the problem is so I'm assuming staff missed it. Would an ACP disable option not please all including dissenters?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...