[Chicago-talk] Password strength

Doug Bell madcityzen at gmail.com
Fri Aug 7 09:10:00 PDT 2015


Obligatory xkcd: https://xkcd.com/936/

Password length is really the most important metric. Logging, and enforcing
limits on login attempts are the second most important thing.

Anything that makes it harder for the user to use password managers or
remember their password (like causing them to make a new password
periodically) will cause them to either write their password down on a slip
of paper, opening a security hole, or use the "password recovery" feature
of your site a lot.

Really, if you want security, you want multi-factor auth: A password is
something the user "knows". Send a validation code to a mobile phone, or
use RSA key fobs, which are something the user "has". (to a lesser extent,
sending an e-mail is another factor, but it's required that the user have
secured that e-mail account well)

Also, as Chris Hamilton mentioned, MD5 must not be used for storing hashed
passwords. Blowfish is the current best practice (to my knowledge).

Also, if you can avoid doing your own authentication altogether, delegating
to an OAuth or OpenID provider (Facebook, Twitter, Github, StackExchange,
etc...), then you don't have anything to worry about (cough)

Doug Bell
preaction at me.com

On Aug 7, 2015, at 10:53 AM, Joel Limardo <joel.limardo at forwardphase.com>
wrote:

If I'm not mistaken a strength meter tells the user 'hey..your password is
weak' which doesn't *force* them to change the password *nor* does it tell
them how to make a better one. As a rule of thumb, once you find yourself
acting on more than one assumption it is a good sign that you have too many
variables on hand to make a workable design.

I would instead a) force the user to enter a password of an appropriate
length with certain characters like numbers and symbols b) periodically ask
users to update their password (every 3 months, etc.) c) Disallow reuse of
passwords (store MD5 hashes somewhere) d) check IP addresses to identify
potential unauthorized access.

On Fri, Aug 7, 2015 at 9:35 AM, <richard at rushlogistics.com> wrote:

> I am using perl dancer to create a new user login page. I was surfing
> arround to try to find how to create a password strength meter when I found
> this http://www.perlmonks.org/?node_id=948997 which has me
> second-guessing as to whether having one is even a good idea. Can anyone
> lend some insight in this matter and perhaps where to go get a good one if
> you believe they are a good idea?
>
> Thanks,
>
> Richard
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk
>


_______________________________________________
Chicago-talk mailing list
Chicago-talk at pm.org
http://mail.pm.org/mailman/listinfo/chicago-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/chicago-talk/attachments/20150807/3818659a/attachment-0001.html>


More information about the Chicago-talk mailing list