On 26/10/11 14:24, Helder wrote:
On Wed, Oct 26, 2011 at 11:13, Neil
Harris<neil(a)tonal.clara.co.uk> wrote:
If there's one measure I'd like to see
that isn't (as far as I know) yet
implemented, it would be to require admins and other privileged users to set
strong passwords, perhaps initially by Javascript-based warnings, and later
by locking out those accounts completely, after a warning period of perhaps
one year.
+1
Thanks.
Proper password-strength-checking is sufficiently compute- and
dictionary-intensive that it should probably be done server-side, during
the period when the password is still temporarily available in plaintext
during the login operation, and always done after the user logs in
successfully, even when the user doesn't have Javascript enabled.
Ideally, it could be also done interactively keystroke-by-keystroke on
the password change dialogue, using AJAX callbacks to the server.
All this should, of course, be forced to be done over HTTPS -- as,
eventually, should all logged-in or password-related activity of any sort.
- N.