Password Security

#1
TcM

Posted 18 February 2008 - 01:59 AM

Writes binary right handed and hex left handed

Members
11,147 posts

What is the safest to let a user select his own password, or the system generates an automatic one for the user to use?

#2
John

Posted 18 February 2008 - 08:18 AM

Writes binary right handed and hex left handed

Moderators
6,321 posts

Letting the system generate a random 10 character password of characters, numbers, and special characters is generally much more secure than letting the user choose their own password, but its a large inconvenience to the user. I generally let them create their own password according to a set of rules. "Your password must be more than 5 characters, and it must contain a number." Or something similar to that.

Compiled Thoughts

#3
Guest_Jordan_*

Posted 18 February 2008 - 09:32 AM

Guests

@Sidewinder, no it isn't because they often write these numbers down which circumvent the entire security procedure.

I do agree, the safest way is to set rules and let them choose their own. They can make the password something familiar to them at the same time enforcing odd characters and capitalization.

#4
John

Posted 18 February 2008 - 04:50 PM

Writes binary right handed and hex left handed

Moderators
6,321 posts

You wrote down our root password and we haven't been hacked yet.

According to my Red Hat Networking and System Administration text book:

Quote

You might want to let users select their own passwords, which would no doubt make them easier to remember but which probably would be easier for a malefactor to crack. You might want to assign passwords, which is more secure in theory, but increases the likelihood that users will write them down on a conveniently located scrap of paper -- a risk if many people have access to the area where the machine(s) is located. You might decide that users must change their passwords periodically.

While your point holds true for an office setting, an e-commerce or Joomla website, I disagree.

Compiled Thoughts

#5
Guest_Jordan_*

Posted 19 February 2008 - 04:46 AM

Guests

I agree with that statement from your text-book. Either way you look at it your users will be the worst threat.

#6
Sionofdarkness

Posted 14 May 2008 - 02:49 AM

Programming Expert

Members
384 posts

I don't think it is a problem if the user chooses their own password, but they definitely won't be as secure as a randomly generated one.

Make Money Online

#7
TcM

Posted 19 May 2008 - 07:53 AM

Writes binary right handed and hex left handed

Members
11,147 posts

Wow, I lost this thread. It's good that I found it again.

Yeah I agree with the text book of John. So in both ways it's never secure... So still, what would you guys do? if you had to choose.

#8
Guest_Jordan_*

Posted 19 May 2008 - 07:58 AM

Guests

I would choose rule setting (such as what ToastedPenguin.com enforces). With rule setting you can require xx cap letters, a shift letter (@!#$ etc..) and it can still have a meaning for the user which keeps them from writing it down (however they still might).