[thelist] Retrieving password() field from a MySQL table

Hassan Schroeder hassan at webtuitive.com
Tue Jan 21 00:25:01 CST 2003

noah wrote:

> People are lazy. If you do this, be sure to filter out people who enter
> "schnauser53" as their challenge question.

why? -- see below

> I'd be wary of allowing people to choose their own passwords and their own
> challenges -- I suspect you'll get combinations like "smith" and "my last
> name."

/* the "you" in the following is generic, not meant for noah
  * personally, BTW :-)

(1) perhaps people don't have as exalted an idea of the security
     of your site as you do -- I've seen registration required for
     utterly trivial sites that acted like they were protecting my
     bank account *and* Dick Cheney's Unspecified Location(tm).

     Excessive "security" demands on users lead to monitors swathed
     in Post-Its with userids and passwords...

(2) if you're picking challenge questions, put some thought into
     the big-picture implications; I'm *not* going to tell you my
     mother's maiden name.

     Lame generic questions? Well, sorry, I don't have a favorite
     color, fabric, or tire tread pattern.

     If you make me pick one, I'll forget it in five minutes, and
     the next time I want to use your site, I'll be tasking your
     customer service department for a password change, costing you
     money (maybe) and good will (certainly).

That said, I know it's hard to balance the conflicting demands of
security and usability. But *system* and *user account* security
should not be synonymous, and clearly the first takes precedence
over the second.

But "schnauser53" really has a nice ring to it. I might use that
for all of my passwords from now on. Maybe we all should.

Good call, rudy :-)

Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                           dream.  code.

More information about the thelist mailing list