On 06/09/2014 10:44 AM, Jerry B. Altzman wrote:
on 6/7/2014 10:38 AM Gary Mort said the following:
A plea to anyone setting up a website where you will have users log
on. Make your default password rule something simple, like any 4
charectors. A password complexity system should allow for multiple
tiers of rules with configurable default rule that is set, by default
:-), to something simple. Tune those tiers and defaults based on
your website need, not by blindly implementing the preachings of the
high priests of security.
http://bit.ly/1xxLQXJ (Link is SFW.)
Better yet: don't make users create accounts if they don't have to.
Let them log in with FB, LinkedIn, Twitter, or Google accounts
instead. The chances are the user already HAS one of those.
I definitely prefer using an external account.... going even a step
further you can instead use SSL certificates and the keygen tag.
While the ui is a little clunky on the browser side, on the server side
it works perfectly. Just add a keygen field on your signup or user
profile editor and when the user signs up/submits an edit the client
will automatically generate and send a public key with the form. Server
side you just need to format it into a certificate, sign it with your
ssl key, and send the signed certificate back to the client.
However, while I love all the alternates, the simple password logon
isn't going away - so avoiding hardcoded rules and treating it as a
binary string lets users choose what is convenient to them[I personally
like to add a symbol of some sort, such as the copyright symbol © - but
most password systems are stuck to a limited aschii range]
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
