On Saturday, January 19, 2013 6:49:11 PM UTC+1, Jonas Sicking wrote: > On Jan 19, 2013 5:55 AM, <[email protected]> wrote: > > > > > > On Friday, January 18, 2013 6:02:24 PM UTC+1, Lawrence Mandel wrote: > > > > ----- Original Message ----- > > > > > > > > > On 18/01/13 16:16, Lawrence Mandel wrote: > > > > > > > > > > How about simply not specifying a default password so that the user > > > > > > > > > > has to enter one? IIRC, this is fairly standard practice. > > > > > > > > > > > > > > > > > > Probably because people wouldn't bother. But if you supply a default > > > > > > > > > one, clearing it is (usually; I haven't used FxOS text boxes much) a > > > > > > > > > fairly simply operation. > > > > > > > > > > > > > > > > There's probably a way that we can require people to enter a password. > > However, a scheme like that proposed my Stefan will likely be a simpler > > approach. > > > > > > > > > > > > > > > > > > > > > > > > > > Also, I'm not sure it's fairly standard - pretty much every home > > > > > > > > > router, > > > > > > > > > at least, supplied in the UK today now has a randomly-assigned > > > > > > > > > default > > > > > > > > > password printed on the router itself, and if you want to use a > > > > > > > > > friend's > > > > > > > > > when you are round their house, you have to go and find the router > > > > > > > > > and > > > > > > > > > look at it. > > > > > > > > > > > > > > > > You're right. Clearly IDRC (I Didn't Recall Correctly). > > > > > > > > > > > > > > > > Lawrence > > > > > > Why still dealing with passwords? > > http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup seems like a nicer > > choice. > > > > Quoting from the article: > > > > WPS has been shown to easily fall to brute-force attacks.[2] A major > > security flaw was revealed in December 2011 that affects wireless routers > > with the WPS feature, which most recent models have enabled by default. The > > flaw allows a remote attacker to recover the WPS PIN in a few hours and, > > with it, the network's WPA/WPA2 pre-shared key.[3] Users have been urged to > > turn off the WPS feature,[4] although this may not be possible on some > > router models.[5] > > > > / Jonas
It's a trade off. It's definitely an issue, but as stated as well: "The ease or difficulty of exploiting this flaw is implementation dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.[3]" Anyway, let's treat that as feature request rather than a short term fix of this problem. To get on topic: having English words is interesting but also does not make sense for quite a large part of the world population (esp. considering we'll be targeting the Spanish speaking market first). So either use the dictionary on the phone to generate the code (adds entropy as well) or make something completely random. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
