21
chippyash
Re: How to force the users of ours site to use safe passwords?
  • 2006/11/4 16:00

  • chippyash

  • Friend of XOOPS

  • Posts: 501

  • Since: 2004/1/29


Good work rplima2004. You might also consider adding in the email address checking functionality hack that I posted in the news section on this site yesterday.

If anyone is wondering how you come up with strong passwords, here's a scheme that I have used very succesfully in corporate environments. (this is for english language but the principle applies universally.)

1/ assign numbers to vowels e.g.
a = 3
e = 4
i = 5
o = 6
u = 7

Use whatever sequence of numbers you like but you have to remember the sequence.

2/ Choose a long phrase that means smething to you. e.g. if you are into sailing you might consider "tall ships" to be such a phrase.

3/ Capitalize the phrase and remove spaces
e.g. TallShips

4/ substitute the vowels for your numbers
i.e. T3llSh5ps

voila, you have a secure password

If enforced password changes are implemented (very good idea imho) then simply add a month suffix or prefix to the password when you need to change it i.e. T3llSh5ps06 for a password changed in June.

Sorry if this sounds like teaching your grandmother to suck eggs, but it might help someone.

A

22
giba
Re: How to force the users of ours site to use safe passwords?
  • 2006/11/4 16:17

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


No your metod is very good too

But, force users change simple password is necessary.
Well, dependencie of site too.

[Edited by Giba]

I am analysing for parameter in admin area for test password users.

if simple password, change e-mail for change in 30 days.
if user not change password after it day, and not login in site, disable account/login this user, and send e-mail with this information.

23
skenow
Re: How to force the users of ours site to use safe passwords?
  • 2006/11/4 22:19

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Captcha will not stop a malicious attack by a person on someone else's account.

Locking the account is a standard method for dealing with failed logins. However, locking the admin account is a bad thing without a way to reset it.

Perhaps a combination of approaches - after x attempts, send an email to the account owner that includes a way to reset the password. Also set the account to require Captcha until a successful login occurs.

Just some ideas.

Login

Who's Online

169 user(s) are online (100 user(s) are browsing Support Forums)


Members: 0


Guests: 169


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits