On 26/10/11 14:24, Helder wrote:
On Wed, Oct 26, 2011 at 11:13, Neil Harrisneil@tonal.clara.co.uk wrote:
If there's one measure I'd like to see that isn't (as far as I know) yet implemented, it would be to require admins and other privileged users to set strong passwords, perhaps initially by Javascript-based warnings, and later by locking out those accounts completely, after a warning period of perhaps one year.
+1
Thanks.
Proper password-strength-checking is sufficiently compute- and dictionary-intensive that it should probably be done server-side, during the period when the password is still temporarily available in plaintext during the login operation, and always done after the user logs in successfully, even when the user doesn't have Javascript enabled.
Ideally, it could be also done interactively keystroke-by-keystroke on the password change dialogue, using AJAX callbacks to the server.
All this should, of course, be forced to be done over HTTPS -- as, eventually, should all logged-in or password-related activity of any sort.
- N.