PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Fundamentals of Application Design
Synchronizing Your MySQL Database Using SQLyog
PHP Web Blog - Part 2
Getting Started with PHP-GTK: Part 1
PHPLib and Multiple Databases

Sr. Web Developer
mediabistro.com
US-NY-New York

Post A Job | Post A Resume

Comments for: jesus19990502

Message # 1010852:

Date: 04/16/02 22:01
By: Lee Profile
Subject: Think like an Application Architect

OK folks, this has been an excellent thread.

I've copied a lot of code, tweaked it and learned a lot.

But this entire thread seems to be missing one thing: A clear understanding of WHY one would want to generate pronounceable passwords -- So an admin or an ad can give users ONE-TIME access to the site.

That's all generated passwords should do.

I'll sort of condense what has been written before, but in a linear, application-centric manner. K?

-- The "AOL-flavored" passwords are a good thing, but they should be for one-time use ONLY. Forgot your password? Click here! (auto-generated password sent to e-mail on record [no e-mail on record? Message saying such, contact admin]). Such events should, obviously, be logged.

-- There should be THREE columns in every user table (call them what you want): try_count (int), change_password (bit) and locked (bit). Whenever an admin resets a password, or the application does via the "forgot password" link, the change_password field should be set to 1 (true). Users can log in with this fabricated password, but are forced to change it before continuing or whatever you decide. The try_count says a user can mess up X times (global variable) before getting locked out. If locked out, that's either 1) User who can't type, 2) Dictionary attacker.

-- As noted by someone, the IP does not really matter. Dynamic IPs, weird DHCP rules and all make this messy. Skip that. Just allow certain amount of times (per valid user ID)and then lock out user. Yes, if I know a user's ID I can get the account locked. But all such attempts should be logged, so one can go after this IP. Reset the try_count after each SUCCESSFUL login. (Yes, takes me three tries to log in usually; if the limit is five, why should I be shut out the second time?)

-- As Katie has noted, these types of passwords are susceptible to dictionary attacks. Yes, "th,4,*" is a much better password than "under_interlope" or whatever. That's why a site programmer should force users to change these auto-generated passwords and enforce some sort of complexity rules (with regular expressions, validation is easily handled).

-- Good code here; let's think about the app, however. Critical

Previous Message | Next Message

Comments:
re: pronouncable is important	Saint	05/15/03 17:56
RE: easy to remember gibberish	James	11/28/02 20:13
RE: See FIPS-181	tom	11/07/02 13:58
Big Mistake	gilhad	10/30/02 09:26
RE: Think like an Application Architect	Lee	08/21/02 17:04
easy to remember gibberish	Andrew Penry	07/27/02 19:39
RE: Think like an Application Architect	Jon Nadal	07/24/02 15:33
Think like an Application Architect	Lee	04/16/02 22:01
RE: Another possible access	Mike Marinescu	03/01/02 01:53
RE: See FIPS-181	mike	01/09/02 10:52
Question	Jeff Williams	12/20/01 22:05
Parse Error	Vijay Avarachen	11/26/01 06:45
RE: One (of many) alternative solution	Brian Clancey	08/23/01 16:49
RE: Another possible access	David Altherr	07/06/01 12:29
RE: One (of many) alternative solution	Hugh Bothwell	06/23/01 11:22
RE: html editor and courses	James Diss	06/07/01 07:39
How about alternate vowels & consonants?	Tom Westmacott	05/07/01 12:29
One (of many) alternative solution	Jack Healy	05/03/01 09:29
RE: Another possible access	Jeremy Weiskotten	04/19/01 18:59
html editor and courses	Marlon Benjamin	03/08/01 11:01
See FIPS-181	Andy	03/07/01 17:24
RE: Another possible access	Katie	03/02/01 19:19
RE: Insecurity.	Bill Canaday	02/26/01 15:12
RE: Insecurity.	Jay	02/21/01 11:26
RE: Insecurity.	Lance Sloan	02/08/01 15:56
RE: Insecurity.	Allen	02/03/01 11:49
RE: Another possible access	Martin Scheffler	01/11/01 06:17
RE: Insecurity.	Matt	12/15/00 17:50
Insecurity.	Michal Zajaczkowski	11/27/00 06:34
Another possible access	Tomas Krojzl	09/16/00 09:16
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. Add A Comment: Name: Email: Subject: Message: To reduce spam posts, messages are now manually approved You are not [logged in]. That means your account will not get credit for this post.

Comments for: jesus19990502

Add A Comment: