Andreas Premstaller wrote:
> Ben, it definitively is a good thing to educate users to choose good
> passwords. A smart algorithm for the quality meter (as will be or is
> already used in mozilla, right, Bob ;-)?) will use non-alpha-characters,
> uppercase, ... (the "entropy" of the password) to calculate the quality
> of the password.
The algorithm for the quality meter is *not* smart. The code is
checked in so you can see it. If you (or anyone) have suggestions for a
better algorithm, please file a bug. If you can point to specific
research or standards in this area, that will help make your case. Given
that we're on some deadlines here we're trying to stay focused on the
top problems. See this page for more information.
http://www.mozilla.org/projects/security/pki/psm/plan_20.html#schedule
The usual nickname will automatically turn out as a bad
> password then. I guess you did not want to suggest to check against
> dictionaries?
I filed this bug to track the ideas. Please feel free to add suggestions:
http://bugzilla.mozilla.org/show_bug.cgi?id=77535
> Bob, by popular press, do you mean computer magazine or newspaper. I
> doubt you find instructions to turn something on or off in a browser in
> a regular newspaper. On the other hand, a computer magazine can as
> easily publish a line to add to a pref file.
If someone cracks RC4, my guess is that you'll hear about it on the
national evening news (insert your definition of "national" here). The
press always asks "Is there anything the user can do to remedy the
problem right now, and before you have a patch available?".
>> But you could argue that "Download version n.m of Netscape 6" is also
>> sufficently easy and also acceptable, considering that something like
>> that doesn't exactly happen each month.
>
>
>
> ...and that is also what people are used to from IE :-).
>
You are correct that this does not happen all the time (thank
goodness). And as you know, it does take time for vendors to spin up
and QA new releases. Having a way to feel safe *now* is a very good
thing.
-Bob
--
Bob Lord
Director, Security Engineering
Netscape Communications Corp.
http://www.mozilla.org/projects/security/pki/
http://people.netscape.com/lord/jobs
