On 04/16/2011 03:49 PM, Andy Bradford wrote: > Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: > >> I want to include this idea in the password meters I create for web >> applications. I need a better password scoring algorithm. I don't want >> to *require* any minimum password complexity (other than a minimum >> password length), but I do want to help the user choose a good >> password. > > Inform them of the risks of using a bad password and what kinds of > information will be compromised due to a bad password, let them make > their own risk assessment. Offer a button that says ``Generate a secure > password for me,'' and then call apg -a 1 -M SLNC (or whatever options > you think are good for your appliations), serve it up to them over SSL, > and see if they take it. If this isn't enough to convince them to use a > stronger password, then they have been warned.
Hmm, "apg -a 1 -M SLNC" produces: K`4i-&]r <*Xe>o]4 ,ru7V;RO}x CFp<7xY[? K,$q42lC<Y C3@-*TD\k These are all insecure passwords because nearly everyone will write them down. Maybe you're saying we should scare people into using better passwords, but I suggest people don't react well to being frightened. I want to achieve better security by leveraging more human strengths. In particular, I think we humans are very good at handling words, while we are not as good at handling individual characters. We can't easily treat our linguistic memory as digital. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
