[Chicago-talk] Password strength

Chris Hamilton cjhamil at gmail.com
Fri Aug 7 09:07:19 PDT 2015 

> Disallow reuse of passwords (store MD5 hashes somewhere)

I wouldn't personally suggest doing this (and if you are going to do it, I
certainly wouldn't store them as MD5 hashes).

Presumably you're generating a new salt and strongly hashing the password
each time it's changed, as such your easiest choice is storing a history of
prior salt/hash combinations and comparing against these.  Still, I'm not
sure I'd recommend spending too much time caring about password reuse,
because unless you're going to disallow password reuse for all time, you
aren't actually preventing someone from reusing a password anyway (they
just need to go through N+1 quick password change iterations to get back to
where they started).

Some related reading:

http://security.stackexchange.com/questions/85074/is-it-safe-to-store-a-password-hash-history-for-preventing-user-to-keep-same-pas

-Chris

On Fri, Aug 7, 2015 at 10:53 AM, Joel Limardo <joel.limardo at forwardphase.com
> wrote:

> If I'm not mistaken a strength meter tells the user 'hey..your password is
> weak' which doesn't *force* them to change the password *nor* does it tell
> them how to make a better one. As a rule of thumb, once you find yourself
> acting on more than one assumption it is a good sign that you have too many
> variables on hand to make a workable design.
>
> I would instead a) force the user to enter a password of an appropriate
> length with certain characters like numbers and symbols b) periodically ask
> users to update their password (every 3 months, etc.) c) Disallow reuse of
> passwords (store MD5 hashes somewhere) d) check IP addresses to identify
> potential unauthorized access.
>
>
> On Fri, Aug 7, 2015 at 9:35 AM, <richard at rushlogistics.com> wrote:
>
>> I am using perl dancer to create a new user login page. I was surfing
>> arround to try to find how to create a password strength meter when I found
>> this http://www.perlmonks.org/?node_id=948997 which has me
>> second-guessing as to whether having one is even a good idea. Can anyone
>> lend some insight in this matter and perhaps where to go get a good one if
>> you believe they are a good idea?
>>
>> Thanks,
>>
>> Richard
>> _______________________________________________
>> Chicago-talk mailing list
>> Chicago-talk at pm.org
>> http://mail.pm.org/mailman/listinfo/chicago-talk
>>
>
>
>
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/chicago-talk/attachments/20150807/bc0d91a9/attachment.html>

More information about the Chicago-talk mailing list