× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2002

Re: Need to generate passwords

With all due respect to those who have offered there suggestions on
generating passwords, I think we need to reconsider the scenario of the
original request.

The original request was that new users be given a password, that would be
changed by them to whatever they want the first time they sign in.  This is
where the real problem lies.

No matter how sophisticated or randomised the password, it will be useful
for about 30 seconds.  After that, the user will put in the wife's name or
the dog or (heaven forbid) 'password'.

So while we can come up with all sorts of wonderful formulas, if, in the
end, the user is choosing their own password, it will all be for naught.


And even if we assign passwords, please remember the most common method of
password hacking in companies.  It is that the hacker simply rings up and
asks IT for the password, or for IT to reset it to 'password' so he/she can
start again.  "Hi, I'm Fred from manufacturing.  I've forgotten my
password.  Can you tell me what it is?".

Not exactly high tech!  It doesn't matter how sophisticated you make the
password, if you simply tell it to the hacker over the phone, you've
achieved nothing.

The closest anyone has got to recognising this fact is the suggestion to
use the Mother's maiden name as the reset password.  A good start, but not
foolproof, of course.  Any smart hacker can get your mother's maiden name
quite quickly.   "Hello, I'm from Visa.  We have a problem with your credit
Card.  Can you confirm your identity by giving us your mother's maiden
name?"


If the aim is to keep unauthorised users out, and surely that's the point
of passwords in the first place, the best method of defense is
administrative, not technical.  It is in controlling the distribution of
passwords, the choices users have in creating their own vs taking one from
IT, and the processes we use to replace lost passwords.

All else is secondary, no matter how sophisticated.


#####################################################################################
Attention:

The information contained in this message and or attachments is intended only 
for the
person or entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use of, 
or
taking of any action in reliance upon, this information by persons or entities 
other
than the intended recipient is prohibited. Opinions expressed in this email and 
any
attachment are those of the sender and not necessarily the opinions of DENSO.  
If you
received this in error, please contact the sender and delete the material
from any system and destroy any copies.

The DENSO Australia Group of companies does not represent, warrant or guarantee 
that
the integrity of this communication has been maintained nor that the 
communication is
free of errors, virus or interference.
######################################################################################

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.