[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] password must be more complicated
|
From: |
Jan Owoc |
|
Subject: |
Re: [Savannah-users] password must be more complicated |
|
Date: |
Mon, 13 May 2013 17:19:53 -0600 |
On Mon, May 13, 2013 at 4:06 PM, Bob Proulx <address@hidden> wrote:
> Jan Owoc wrote:
>> I've seen a handful of websites offering a JavaScript-based password
>> quality checker. The website states something like "you must have a
>> quality of 40 for me to accept the password", and then the user types
>> characters, numbers, symbols, etc., until the quality meter hits at
>> least 40 (of 100). I sometimes dislike that a clever password I've
>> invented only gets 38, but I get instant feedback, rather than waiting
>> for the page to reload.
>
>> [1] http://www.passwordmeter.com/
>
> That is pretty cute. I don't like the deductions section where it
> deducts points for repeated letters so much because I think it belies
> the understanding that random values will have clusters. But of
> course that could be adjusted. (Think of flipping a coin. If you
> could never repeat the previous value then obviously it won't be a
> very random series. Same concept here.)
I didn't mean to say that this (randomly found) password checker is
perfect. Until this thread surfaced, I didn't know that a program like
pwqcheck existed, let alone what the phrase "pwqcheck options are:
'match=0 max=256 min=24,24,11,8,7' " meant. I wanted to point out that
a large portion of websites that require users to generate passwords
either:
A) have rules written out in human-readable form on what is an
acceptable password (eg. have all 4 of these character classes AND be
7 characters long, or have 3 of 3 character classes AND be 8
characters long, or be at least 24 characters long); the user can then
count the characters in the password they've invented or generated,
and know if it would pass
B) have some sort of JavaScript-based instant-feedback whether the
password is "poor", "acceptable", or "strong", with the minimum that
the site accepts being "acceptable"; the user instantly knows if the
password will be accepted without having to refresh the page
I think implementing "A" is much simpler than "B". Could we convert
the phrase "min=24,24,11,8,7" into text that would be understandable
to the average user of Savannah?
> It is Javascript but it is only there to provide immediate feedback to
> the user. Any real security must exist on the server. And so would
> still work just fine if Javascfript is turned off or unavailable such
> as in lynx, w3m, and so forth.
Yes, I meant to suggest the JavaScript in addition to the server-side
checks, as "instant feedback" to the user. It's just that the
JavaScript, assuming it runs properly, should accept/reject the same
passwords that the server would then accept/reject.
Cheers,
Jan
- Re: [Savannah-users] password must be more complicated, (continued)
- Re: [Savannah-users] password must be more complicated, Karl Berry, 2013/05/07
- Re: [Savannah-users] password must be more complicated, Jan Owoc, 2013/05/08
- Re: [Savannah-users] password must be more complicated, Bob Proulx, 2013/05/13
- Re: [Savannah-users] password must be more complicated,
Jan Owoc <=
- Re: [Savannah-users] password must be more complicated, Bob Proulx, 2013/05/15
- Re: [Savannah-users] password must be more complicated, Ineiev, 2013/05/17
- Re: [Savannah-users] password must be more complicated, Ineiev, 2013/05/14
Re: [Savannah-users] password must be more complicated, Bruce Korb, 2013/05/09