[WEB SECURITY] suggesting passwords to users
Brian Eaton
eaton.lists at gmail.com
Mon Apr 30 19:56:53 EDT 2007
On 4/30/07, Mike Shema <mikeshema at yahoo.com> wrote:
> Instead of worrying about the shoulder-surfer, the exposure I imagine is if
> the random word selection isn't "random" enough and could be modeled. The
> security of the system shouldn't be based on the secrecy of the wordlist; it
> should be based on a uniformly random selection from a large list. ("Large"
> being balanced between desired combinations and words that are easy to
> remember.) There might be minor issues of caching the page with the
> suggested password, but I think that can be solved trivially.
Cache-control headers are a start at dealing with the caching problem,
but the back button will still show the page. AJAX could help, too,
you could fetch a fresh password from the server each time the page is
reloaded.
Another option would be to transfer the entire word list to the
client, and calculate the suggested password there. The word list
would take several kB compressed, but that's not unreasonable. I'm
not sure whether javascript or java applets could be trusted with
random number generation, however.
Cheers,
Brian
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list