You sound like my wife who's always telling me to be more civil and stop that "my way or the highway" kind of talk when I discuss issues. It's not that it's my way or the highway, I just tend to "cut to the chase" in getting to the bottom line and not phrasing my position very "diplomatically."
Besides, I've only had half a cup of coffee this morning at this point. :o| (Aaarf!) Anyway, the problem with strong passwords is they're not easily, if at all, memorable. I'd rather a user have strong passwords, different ones for every instance where they need one, and write them down (preferably not on a post-it-note on the screen ;o) where they can access them, than to try to remember all the passwords they use, which can literally be hundreds, these days. The biggest danger is not when someone robs their home (don't put the bank account passwords on paper), but hackers gaining access via email snooping, intercepting data flow, or breaking into companies that maintain confidential data. At least if someone breaks into my home, I know that my passwords are compromised. If they just get the info from an online account, I wouldn't have a clue for awhile. Rick > -----Original Message----- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 11:04 AM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > Rick, > > I get it. I do. What I'm suggesting is instead of cramming down a password > down the throat to use clearly written english description of what a STRONG > password would be and to use validation to determine what's a strong / weak > passwords. There's plenty of javascript / serverside validation methods for > doing this, it doesn't take that long to write a custom one. I wrote a > custom one that I thought was pretty good until I came across a password > issue that I had to debug and during that time, I realized that the client > was using their email address as a password so I beefed up my validation > even more and wrote another bullet of you can't use (first name, last name, > email address, phone number, etc). > > People do the damndest things and they don't think about their own security > sometimes, but I would still rather write the rules up and enforce those > rules than say "my way or the highway." When I come across issues like > that, I have a 2 simple little actions in my admin 1.) Force new password > upon next login or 2.) Send new random strong password now and make them > change it upon next login. > > I want them to be educated and use a strong password that they're going to > remember and they're not going to write it down on a slip of paper because I > won't let them change it otherwise. Anyway, we'll just agree to disagree. > It's ok. Two very valid opinions. > > ~Todd > > On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > I don't see anywhere in those terms that a lawyer could *without a doubt* > > use to hold Google harmless if Google's servers were hacked (their fault) > > and a client's login info stolen and used to access a bank account. > > > > I think a jury would see Google as liable for their failed security. > > But I'm no lawyer... > > > > I do however, begin to get concerned when clients want their personal data > > "secured" that a weak password could come back to bite them and me as > > well. > > The weak password, it would seem to me, would have to be the result of a > > user's sole choice, bypassing all guidance and cautions that I provide, > > including > > a strong password option. > > > > It is an interesting discussion. As my clients become more widespread and > > less > > "personal", the chance of lawsuits increases. > > > > Just want to protect my "assets"... > > > > Rick > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297437 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
