Wouldn't your time be better spent making sure the password is mixed case
with letters and numbers so it can't be easily guessed? Or perhaps you
should write something that would de-activate the account if the user types
in the wrong password more than three consecutive tries?
Also, if the username is truly unique, then the password doesn't need to be
part of the key.
-w
At 09:59 PM 1/4/2004, you wrote:
>I want to enable users of my web app, upon creating their accounts, to
>be able to select their own login password. When they create their
>account, I'm comparing their proposed password with all other
>passwords stored in a db to ensure that the proposed password is
>unique. If it's not, though, I don't think it's wise to return a
>message of "That password is already being used. Please select
>another" -- seems too insecure.
>
>What is a "good practices" way of handling this situation:
>
>1. Ensuring instead that only the username is unique, and then making
>the unique login key to be the combo of the username/password fields?
>
>2. Something else?
>
>TIA.
>
>-------------
>Regards,
>Bob Haroche
>O n P o i n t S o l u t i o n s
>www.OnPointSolutions.com
>
>----------
>[
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
