Password Security

[TcM]

What is the safest to let a user select his own password, or the system generates an automatic one for the user to use?

[John]

Letting the system generate a random 10 character password of characters, numbers, and special characters is generally much more secure than letting the user choose their own password, but its a large inconvenience to the user. I generally let them create their own password according to a set of rules. "Your password must be more than 5 characters, and it must contain a number." Or something similar to that.

[Jordan]

@Sidewinder, no it isn't because they often write these numbers down which circumvent the entire security procedure.

I do agree, the safest way is to set rules and let them choose their own. They can make the password something familiar to them at the same time enforcing odd characters and capitalization.

[John]

You wrote down our root password and we haven't been hacked yet.

According to my Red Hat Networking and System Administration text book:

Quote:

You might want to let users select their own passwords, which would no doubt make them easier to remember but which probably would be easier for a malefactor to crack. You might want to assign passwords, which is more secure in theory, but increases the likelihood that users will write them down on a conveniently located scrap of paper -- a risk if many people have access to the area where the machine(s) is located. You might decide that users must change their passwords periodically.

While your point holds true for an office setting, an e-commerce or Joomla website, I disagree.

[Jordan]

I agree with that statement from your text-book. Either way you look at it your users will be the worst threat.

[Sionofdarkness]

I don't think it is a problem if the user chooses their own password, but they definitely won't be as secure as a randomly generated one.

[TcM]

Wow, I lost this thread. It's good that I found it again.

Yeah I agree with the text book of John. So in both ways it's never secure... So still, what would you guys do? if you had to choose.

[Jordan]

I would choose rule setting (such as what ToastedPenguin.com enforces). With rule setting you can require xx cap letters, a shift letter (@!#$ etc..) and it can still have a meaning for the user which keeps them from writing it down (however they still might).

[DevilsCharm]

Ahh, a rule setting is a great middle ground between automated passwords and user selected ones.

[TcM]

But still the user might not be able to remember the symbol used...