List:General Discussion« Previous MessageNext Message »
From:Daevid Vincent Date:January 20 2010 12:10am
Subject:RE: Record old passwords ?
View as plain text  
 

> -----Original Message-----
> From: John Meyer [mailto:john.l.meyer@stripped] 
> Sent: Monday, January 18, 2010 5:04 PM
> To: colin@stripped; mysql@stripped
> Subject: Re: Record old passwords ?
>
> Although, on an OT, forcing people to not use a password that they
> have recently used is a bad idea.  What they eventually do is go with 
> something like "hometown01" "hometown02", etc.  Or worse, they start 
> writing down their passwords which is a whole other security problem.

Amen to that. At my work, they require a password change every month, but
they store the last 6 passwords you used, so I do exactly what you say -- I
have a logbook and store the same 6 passwords in it and just cycle them.
Other "tricks" I do, is use a pattern on the keyboard and just shift it.
None of this is secure, and I totally know it (although I'm not picking
"secret" or something as my PW, it's random letters/numbers/symbols). But I
hate the policy and I'm kind of a rebel like that. ;-p

It's a tough balance between trying to be secure because you have "ID-10t"
users and not being obnoxious to the end result that you have caused more
insecurity. Personally, I would suggest to just enforce strong password
rules ( >8 characters, no dictionary words, no 'leet' speek, symbol
required, one upper required, one number requred, etc.) and leave it at
that. But you had better be enforcing this for something like a bank or
medical records. If you're trying to do this for a blog or social network
site or something equally trite, then you're doing your users a disservice
and only serving to frustrate them.

And of course, you NEVER store the actual password. You store a hash of it.
Then implement a simple system to generate a new password and mail it, or a
token to enable the user to change it if forgotten.


ÐÆ5ÏÐ 
"Some people, when confronted with a problem, think 'I know, I'll use
XML.'"
Now they have two problems. 

Thread
Record old passwords ?Tompkins Neil18 Jan
  • Re: Record old passwords ?SH18 Jan
  • Re: Record old passwords ?Carsten Pedersen18 Jan
  • Re: Record old passwords ?Colin Streicher19 Jan
    • Re: Record old passwords ?John Meyer19 Jan
      • RE: Record old passwords ?Daevid Vincent20 Jan
        • Re: Record old passwords ?Jørn Dahl-Stamnes20 Jan
          • Re: Record old passwords ?Tompkins Neil22 Jan
            • Re: Record old passwords ?Suresh Kuna27 Jan
    • Re: Record old passwords ?Carlos Proal19 Jan
      • Re: Record old passwords ?Tompkins Neil19 Jan
        • Re: Record old passwords ?Tompkins Neil19 Jan
          • Re: Record old passwords ?Mark Goodge19 Jan
            • Re: Record old passwords ?John Meyer21 Jan
              • RE: Record old passwords ?Jerry Schwartz21 Jan
          • Re: Record old passwords ?Lucio Chiappetti21 Jan
            • Re: Record old passwords ?Mark Goodge21 Jan
        • Re: Record old passwords ?Mark Goodge19 Jan
Re: Record old passwords ?Tompkins Neil19 Jan