Forum OpenACS Q&A: Re: Interesting article on web based password protection

11: Re: Interesting article on web based password protection (response to 1)

Posted by Caroline Meeks on 05/02/03 05:06 PM

Our Project Portfolio Management site's customer's customer has a strong but not particularly clearly articulated security concerns. Security is an interesting customer requirement because the levels of education on the subject are so variable. A good white paper on what we have, how it compares to common web sites, how to use it, and why its good would probably be a smart marketing move.

Currently we have been asked to implement expiring passwords and there also seems to be interest in strong passwords.

Has anyone done this yet or planning to in the next month or so? I'd be interested in putting together a coalition to work/fund these sorts of issues if there is interest.

13: Re: Interesting article on web based password protection (response to 11)

Posted by Andrew Piskorski on 05/03/03 06:41 AM

Checking for strong passwords sounds good, but I never understood the attraction of expiring passwords.

Maybe I'm missing something, but let's see, the user thought up a good, hard to break password, and carefully memorized it, so he never had to write it down anywhere and risk compromising security. Now what do you do? A few months later, you make him do it all again - you punish the user for his diligence.

IMO, that path leads right back to passwords on post-its and passwords like "foobar123". If you're lucky, the clever user will subvert your (hopefully simple-minded) password expiry scheme and simply alternate back and forth between two good secure passwords that he remembers.