Rick, I get it. I do. What I'm suggesting is instead of cramming down a password down the throat to use clearly written english description of what a STRONG password would be and to use validation to determine what's a strong / weak passwords. There's plenty of javascript / serverside validation methods for doing this, it doesn't take that long to write a custom one. I wrote a custom one that I thought was pretty good until I came across a password issue that I had to debug and during that time, I realized that the client was using their email address as a password so I beefed up my validation even more and wrote another bullet of you can't use (first name, last name, email address, phone number, etc).
People do the damndest things and they don't think about their own security sometimes, but I would still rather write the rules up and enforce those rules than say "my way or the highway." When I come across issues like that, I have a 2 simple little actions in my admin 1.) Force new password upon next login or 2.) Send new random strong password now and make them change it upon next login. I want them to be educated and use a strong password that they're going to remember and they're not going to write it down on a slip of paper because I won't let them change it otherwise. Anyway, we'll just agree to disagree. It's ok. Two very valid opinions. ~Todd On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > I don't see anywhere in those terms that a lawyer could *without a doubt* > use to hold Google harmless if Google's servers were hacked (their fault) > and a client's login info stolen and used to access a bank account. > > I think a jury would see Google as liable for their failed security. > But I'm no lawyer... > > I do however, begin to get concerned when clients want their personal data > "secured" that a weak password could come back to bite them and me as > well. > The weak password, it would seem to me, would have to be the result of a > user's sole choice, bypassing all guidance and cautions that I provide, > including > a strong password option. > > It is an interesting discussion. As my clients become more widespread and > less > "personal", the chance of lawsuits increases. > > Just want to protect my "assets"... > > Rick > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297427 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
