[WEB SECURITY] suggesting passwords to users

Anurag Agarwal a_agrawwal at yahoo.com
Mon Apr 30 15:48:42 EDT 2007 

If a system is generating password like "swiss napkin", etc which is easier to remember then the only thing which comes to my mind is that it may also be prone to smart dictionary attacks. Maybe i am wrong but i would like to hear others thoughts on this
 
 
Cheers,
 
Anurag Agarwal
 
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal at yahoo.com
Blog : http://myappsecurity.blogspot.com
 



----- Original Message ----
From: Brian Eaton <eaton.lists at gmail.com>
To: Web Security <websecurity at webappsec.org>
Sent: Monday, April 30, 2007 10:41:51 AM
Subject: [WEB SECURITY] suggesting passwords to users


I just changed a password on a *nix system and encountered a message I
hadn't seen before.  The machine gave me all of the standard
recommendations about choosing passwords, such as password length (at
least eight characters) and character classes (upper case, lower case,
symbols, numbers, etc...).  Following all of that advice, the passwd
program displayed the message:

Alternatively, if noone else can see your terminal now, you can pick
this as your password: "Swiss-napkin;storm".

This struck me as being both good for security and user-friendly.
This is user friendly because:
- end users no longer have to struggle to find a password that meets
all of the password requirements on the system.
- the password is relatively easy to remember (less risk of being
locked out by accident)

This is good for security because:
- the suggested password can be randomly generated.
- the password is relatively easy to remember, reducing the risk of
the password being written down on a sticky note.
- user's aren't choosing passwords based on personal information an
attacker might obtain, such as pet names or birthdays.

There is a trade-off being made: you run the risk of a shoulder-surfer
observing the password.  That trade-off seems pretty reasonable to me.
I'd be more concerned about the sticky-note problem than the
shoulder-surfer problem.

But I may be missing some of the risks created by this system, perhaps
this isn't such a clever idea.  Is this a good system for web based
applications to use?  When presenting a password change form, should
web apps suggest a randomly generated password?

Regards,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070430/732dbce7/attachment.html>

More information about the websecurity mailing list