On 26/10/11 13:03, Steve Summit wrote:
William Allen Simpson wrote:
This replacement password is much more easily guessed. The account could have been stolen within minutes or hours.
Is this true? (Yes, I know that a fast machine can try zillions of passwords per hour in theory, but for a reasonably designed system, certainly not in practice.)
Please update the password generator to use at least 17 characters,
That seems like far too many.
In practice, that password is probably much stronger than most users' real passwords.
It might perhaps be worth adding one more character, but the simplest way to increase security on this would be to just put a limit on the number of reactivation attempts for that particular password.
Assuming the seven-character password given, "YH2MnDD", uses the character set [A-Za-z0-9], there should be 62^7 ~= 3.5 x 10^12 possible such passwords.
Automatically expiring that temporary password after say, 10 failed reactivation attempts, would reduce the probability of successfully guessing that particular password to around 3 x 10^-12 -- probably safe enough for wiki purposes.
Based on this, I don't think it's likely to be nearly as much of a problem as brute-force attacks on ordinary login passwords that go for the "low-hanging fruit" of users with passwords like "1234" or "password1".
Even these can be substantially mitigated by a mixture of per-account and per-client-IP-address throttling, and CAPTCHAs.
If there's one measure I'd like to see that isn't (as far as I know) yet implemented, it would be to require admins and other privileged users to set strong passwords, perhaps initially by Javascript-based warnings, and later by locking out those accounts completely, after a warning period of perhaps one year.
- Neil