8/19/2023 0 Comments Xkcd secure password generator![]() Quantifying security differences is tricky at the best of times. Logging your failed password attempts (securely!) will help a lot with diagnosing these problems. It almost eliminated the “my password isn’t working” emails. I added a new Django auth backend to strip spaces and lowercase everything. A lot of users will select too many or too few characters at the start and end of the password string, and if they can’t see the password when they paste it, they can’t see the error. This somewhat defeats the purpose of providing a memorable password.Įven copy and paste has its problems. If the password is long and difficult to enter, users will just copy and paste it. Such a long password is easy to get wrong.Ī lot of users don’t type the spaces. I elected to not show the user’s password as they typed, but I think that might be a mistake. It seems almost comical, in hindsight, but this genuinely reduced the number of support emails that I received. I had to draw a diagram showing that the passphrase should be typed in just like a regular password. ![]() One thought that it was a cryptic word puzzle that they had to solve and that once solved, that answer would be the password. Many users didn’t recognise the string as a password at all they emailed saying that they hadn’t received a password, or thought that it was part of a sentence that had been mistyped, or asked what the words meant. Random word passwords look different to normal passwords, and most users have never encountered a passphrase before. Better yet, generate the passwords offline. It would have been smarter to keep it in memory and put some effort into freeing that memory when done. I elected to read the dictionary every time I created a user, which took a good fraction of a second each time. They take a long time to read from disk and use a lot of memory. They have no meaning to me and thus no recall value. Once, I encountered this problem with a random character password somehow the string ‘cute’ snuck into a female user’s password.ĭictionaries contain lots of obscure words and non-words words, like ’re’ or ‘b’. This turned up some other dangerous combinations, like ‘hate indian’. After stripping out the obvious swear words and other dangerous (but non-sweary) words, I generated a bunch of random passwords and skimmed through them by hand. Many of the funny British-isms had to go.Įven after screening for offensive individual words, it’s possible to get weird combinations of words that have meaning. A large proportion of my users were not native English speakers. ![]() For example, the Brits have a lot of words which are sort of funny and inoffensive if you’re a native English speaker (e.g. What is offensive varies across cultures. The plural of ‘ball’, ‘balls’, can be offensive when combined with the right (or wrong) modifiers. There’s a fuzzy line for what dictates ‘offensive’, though. I used a fairly complete dictionary that I pulled from a mailing list (the exact URL eludes me, unfortunately).ĭictionaries contain a lot of offensive words we’d prefer not to use them for passwords. Getting the dictionary file right is difficult Keeping the two systems isolated was desirable. They would probably use the same password as a related, sensitive system. I specifically wanted to avoid letting the users choose their own passwords. For their passwords, I decided to implement XKCD-style passwords instead of the usual collection of random characters. I recently completed a project requiring a few thousand pre-set-up user accounts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |