random password vs. user created password for site login

mcdougals4all · 02-01-2005, 09:08 PM

Are there any security issues or other concerns that make one preferable? The client is pushing for user created passwords.

I'm mapping out the basic functionality and front-end for a MySQL/PHP back-end that will be completed by a third party. I'm a novice to MySQL but familiar with PHP and their interaction. Mainly looking for anything to support one method over the other.

raf · 02-01-2005, 09:26 PM

wel, if they are random passwords, then there is a higher chance that they'll be 'strong' passwords. I mean; every application with a fair number of users will have a few funny guys that use 'secret' or smilar.

if you use user created once, then some of the things you can do are:
- require a minimum length (at least 5 positions)
- require them to use both numbers and letters
- check to make sure that the password isn't identiccal to the username
- check to make sure that the username is not part of the password
- check if the password isn't inside your collection of bad-words (secret, password, enter etc)
- require them to change the password every 30 days or so
etc

mcdougals4all · 02-01-2005, 09:45 PM

Thank you. This gives me the back-up I need to push for a random password.

02-01-2005, 09:08 PM	PM User \| #1
mcdougals4all Regular Coder Join Date: Jul 2004 Location: mile high city Posts: 482 Thanks: 0 Thanked 0 Times in 0 Posts	random password vs. user created password for site login Are there any security issues or other concerns that make one preferable? The client is pushing for user created passwords. I'm mapping out the basic functionality and front-end for a MySQL/PHP back-end that will be completed by a third party. I'm a novice to MySQL but familiar with PHP and their interaction. Mainly looking for anything to support one method over the other. __________________ Computer, kill Flanders... Did I hear my name? My ears are burning... Good start. Now finish the job.

02-01-2005, 09:26 PM	PM User \| #2
raf Master Coder Join Date: Jul 2002 Posts: 6,589 Thanks: 0 Thanked 0 Times in 0 Posts	wel, if they are random passwords, then there is a higher chance that they'll be 'strong' passwords. I mean; every application with a fair number of users will have a few funny guys that use 'secret' or smilar. if you use user created once, then some of the things you can do are: - require a minimum length (at least 5 positions) - require them to use both numbers and letters - check to make sure that the password isn't identiccal to the username - check to make sure that the username is not part of the password - check if the password isn't inside your collection of bad-words (secret, password, enter etc) - require them to change the password every 30 days or so etc __________________ Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

02-01-2005, 09:45 PM	PM User \| #3
mcdougals4all Regular Coder Join Date: Jul 2004 Location: mile high city Posts: 482 Thanks: 0 Thanked 0 Times in 0 Posts	Thank you. This gives me the back-up I need to push for a random password. __________________ Computer, kill Flanders... Did I hear my name? My ears are burning... Good start. Now finish the job.

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread: