Here is a scenario:
- We have a generic Web Application X over HTTP (no SSL)
- All passwords are salted with a unique 256 random character string
- After 5 incorrect attempts within 15 minutes the offending IP(s) will
be blocked
- The IP will be unblocked after 8 hours
To me it seems that the greatest potential security problem is social
engineering:
- getting a user to give you there e-mail address and password (like
Twitter and Facebook do),
- logging into their e-mail,
- finding out what bank they have,
- and then logging into their bank with the same password -
or
- finding their birthday and mother's maiden name from their e-mail
- and resetting their bank password.
What requirements should be imposed on a user? And what are methods of
increasing security without inconveniencing the user?
I'm a fan of length requirements, but not of requiring numbers, etc. People
just stick the number 1 at the end of the password if you require a number.
Should a user ever be required to change passwords? If so, why?
AJ ONeal
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
