Password Reset
From:
Richard Waid
Date:
2007 Oct 29 00:30 UTC
Short link
On Mon, 2007-10-29 at 12:48 +1300, Michael JasonSmith wrote:
> My second concern is what restrictions, if any, do we place on the
> password? Currently, the JavaScript embedded into the page ensures
> that the password is set to something, so no blank passwords are
> allowed. However, we could ensure that the password contains at least
> one number, a mixture of upper and lower case, and cannot be cracked
> by the standard tools. Alternatively, we could use a "strength metre",
> like Google, to rate the password.
I think I prefer the strength meter. I don't believe it will be
confusing to those who are not familiar with security ... people are not
familiar with security because they don't have it pointed out to them
very often. I think people will generally 'get it' anyway. For those
that are familiar with security ... well, it's an interesting novelty to
play with.
I think that password enforcement is *bad*: we want people to choose a
password they remember, and that won't cause them to have to use the
password reminder everytime they visit the site, and that is
commensurate with the security required for the site.