I am neither a security expert nor a Validator committer, so please accept this as just a comment. If client-visible javascript containing password validation info is included in authentication pages (even just max -- should *never* exist -- or min lengths) this can give an advantage to hackers attempting dictionary attacks or using known info about users (e.g. initials, birthdates, last 4 digits of SSN, other short stupid stuff etc.) to hack into accounts on a system that has this exposure. Any information that reduces the size of the valid password search space gives an advantage to a hacker -- especically one who may have info about the user whose account s/he is trying to break into.
Min length info *may* need to be communicated to users at enrollment time (when passwords are created, if they are created by users online); but it should *not* be made available to them on authentication pages or in the error messages that they generate on authentication failure.
As I said above, this is just my HO, but I would not recommend enabling this feature in Validator, since it could lead to developers unwittingly introducing security exposure into their code. I think we should always err on the side of conservatism when it comes to security issues and try not to leave too much choice to developers, who may misunderstand the docs or just make mistakes, resulting in exposure.
Phil
Robert Leland wrote:
David Graham wrote:
That's Microsofts method security by obsecurity. We all know how well that works !My point is not that you shouldn't tell your users the rules; it's that you shouldn't expose the validation algorithm to hackers. The less they know about the password system, the better.
David
I have been searching for articles saying that knowing
minimum/maximum password lengths poses a security risk. I have not found such an article/blurb,
either for or against. And it is impossible to not tell the user what the min/max's are in a usable system.
The only place where min/max lengths helps out a little, very little, is in programs like jack the ripper, and this
occures once the password file has been copied off the machine to another to be cracked.
I also asked my co-worker who lives, and breathes cryptology and runs a respected crypto news site,
and he said it isn't an issue. The only comment he made is that there should not be maximum limits.
(he probably also would like a 15 digit zip code ;) )!
I am trying to base decisions on facts, not FUD, and I see no references that would support a -1,
I invite you to google for over an hour like I did.
-Rob
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
