on 6/7/2014 10:38 AM Gary Mort said the following:
A plea to anyone setting up a website where you will have users log
on. Make your default password rule something simple, like any 4
charectors. A password complexity system should allow for multiple
tiers of rules with configurable default rule that is set, by default
:-), to something simple. Tune those tiers and defaults based on your
website need, not by blindly implementing the preachings of the high
priests of security.
http://bit.ly/1xxLQXJ (Link is SFW.)
Better yet: don't make users create accounts if they don't have to. Let
them log in with FB, LinkedIn, Twitter, or Google accounts instead. The
chances are the user already HAS one of those.
If you use password authentication for user accounts, then base your
rules on your needs. Site owner/Super Admin/Developer accounts should
require complex passwords and two factor authentication. Day to day
site manager accounts most likely only need complex passwords[based on
potential damage of a compromised account...if a site manager can give
out refunds and credits for an e-commerce site, obviously you want to
add extra security!]
Yes, for these things, you almost certainly want a second layer of
authentication atop the ones above. For these, little crypto keyfobs are
great. If the potential financial loss is large, the client should not
balk at the relatively small cost.
Every time I browse around to some interesting looking website where I
have to "create an account" to access something I get increasingly
upset at those sites trying to force their idea of security on an
account that I don't care about. If I decide I want to actively use
the site and am giving it sensitive information, I will change that
password to something complex. If I never return to that site, then I
don't care about the account.
More and more people just use "I forgot my password", and deal with it
that way. Either you've exchanged the password for a security question,
or just access to a user's email.
//jbaltz
--
jerry b. altzman | jba...@altzman.com | www.jbaltz.com | twitter:@lorvax
thank you for contributing to the heat death of the universe.
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
