I'm going to pick on Neil a little, because I know he can take it, but it applies to just about everybody else in this thread.
For shame.
On 10/26/11 9:13 AM, Neil Harris wrote:
On 26/10/11 13:03, Steve Summit wrote:
William Allen Simpson wrote:
This replacement password is much more easily guessed. The account could have been stolen within minutes or hours.
Is this true? (Yes, I know that a fast machine can try zillions of passwords per hour in theory, but for a reasonably designed system, certainly not in practice.)
Please update the password generator to use at least 17 characters,
That seems like far too many.
In practice, that password is probably much stronger than most users' real passwords.
Please don't conflate user choices with our choices. Since the password is generated on demand, the adversary *knows* something was generated and sent.
That's quite different than attacking a random user.
It is our choice to send a weak password in email -- a bad choice.
It might perhaps be worth adding one more character,
Really, how *hard* is it to generate a longer string?
, but the simplestway to increase security on this would be to just put a limit on the number of reactivation attempts for that particular password.
Why would this be simpler? Seems like a lot more code to me.
Assuming the seven-character password given, "YH2MnDD", uses the character set [A-Za-z0-9], there should be 62^7 ~= 3.5 x 10^12 possible such passwords.
I really wish folks would at least read a Wikipedia article before making such calculations. :-(
No, you've listed the number of combinations, not the entropy.
No, 40-bits of strength means 2**20 attempts on average. Same order of magnitude as WEP. You remember WEP, the security designed to be easily crackable?
https://secure.wikimedia.org/wikipedia/en/wiki/Wired_Equivalent_Privacy
In 2005, a group from the U.S. Federal Bureau of Investigation gave a demonstration where they cracked a WEP-protected network in 3 minutes using publicly available tools.
Or, maybe, perhaps, you might trust that a well-known long-time security professional is telling you the generated password is too weak. ;-)
Automatically expiring that temporary password after say, 10 failed reactivation attempts, would reduce the probability of successfully guessing that particular password to around 3 x 10^-12 -- probably safe enough for wiki purposes.
No, that's not correct math.
Worse, that would generate a denial of service attack all on its own. All the adversary has to do is send periodic attempts to lock somebody out of their own account.
Moreover, what problem does that solve?
Based on this, I don't think it's likely to be nearly as much of a problem as brute-force attacks on ordinary login passwords that go for the "low-hanging fruit" of users with passwords like "1234" or "password1".
This is the lowest *possible* hanging fruit. We're generating it!
Even these can be substantially mitigated by a mixture of per-account and per-client-IP-address throttling, and CAPTCHAs.
While it would be nice to have better user password checking, and require all login sessions to be over HTTPS, and not use cookies to identify sessions, and many other desirable improvements -- this is the simplest and easiest thing I can imagine!
If there's one measure I'd like to see that isn't (as far as I know) yet implemented, it would be to require admins and other privileged users to set strong passwords, perhaps initially by Javascript-based warnings, and later by locking out those accounts completely, after a warning period of perhaps one year.
Now, that seems much too long a time. I'd make it a prerequisite for being an administrator at all!