[thelist] Retrieving password() field from a MySQL table
Hassan Schroeder
hassan at webtuitive.com
Tue Jan 21 00:25:01 CST 2003
noah wrote:
> People are lazy. If you do this, be sure to filter out people who enter
> "schnauser53" as their challenge question.
why? -- see below
> I'd be wary of allowing people to choose their own passwords and their own
> challenges -- I suspect you'll get combinations like "smith" and "my last
> name."
/* the "you" in the following is generic, not meant for noah
* personally, BTW :-)
*/
(1) perhaps people don't have as exalted an idea of the security
of your site as you do -- I've seen registration required for
utterly trivial sites that acted like they were protecting my
bank account *and* Dick Cheney's Unspecified Location(tm).
Excessive "security" demands on users lead to monitors swathed
in Post-Its with userids and passwords...
(2) if you're picking challenge questions, put some thought into
the big-picture implications; I'm *not* going to tell you my
mother's maiden name.
Lame generic questions? Well, sorry, I don't have a favorite
color, fabric, or tire tread pattern.
If you make me pick one, I'll forget it in five minutes, and
the next time I want to use your site, I'll be tasking your
customer service department for a password change, costing you
money (maybe) and good will (certainly).
That said, I know it's hard to balance the conflicting demands of
security and usability. But *system* and *user account* security
should not be synonymous, and clearly the first takes precedence
over the second.
But "schnauser53" really has a nice ring to it. I might use that
for all of my passwords from now on. Maybe we all should.
Good call, rudy :-)
--
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
More information about the thelist
mailing list