NYCPHP Meetup

[David Krings]

On 6/9/2014 10:44 AM, Jerry B. Altzman wrote:
> on 6/7/2014 10:38 AM Gary Mort said the following:
>> A plea to anyone setting up a website where you will have users log on. Make
>> your default password rule something simple, like any 4 charectors.  A

At that point why bother with a password at all? And why use passwords? That's 
60s tech...unfortunately, there was nothing invented since then that is easily 
created and entered using standard devices such as a keyboard.
If you require a password, ask for a complex password and have strict and 
tight rules. Otherwise don't ask for anything. And for those who can't 
remember a password that is made up from a phrase like Th1$1sMµP8ssw°rd (where 
a German keyboard layout comes in handy), there is stuff like MaskMe or any 
one of the other password generators and managers. And then also secure the 
channel, out of the box SSL isn't cutting it anymore today. And yes, store the 
password salt somewhere else, not in the same table.


>> password complexity system should allow for multiple tiers of rules with
>> configurable default rule that is set, by default :-), to something simple.
>> Tune those tiers and defaults based on your website need, not by blindly
>> implementing the preachings of the high priests of security.

That I agree with. Don't put Fort Knox security on a site that contains 
nothing secret. Then again, no matter how good security is, if it is really 
delicate info don't put it on the web at all.


> http://bit.ly/1xxLQXJ (Link is SFW.)
> Better yet: don't make users create accounts if they don't have to. Let them
> log in with FB, LinkedIn, Twitter, or Google accounts instead. The chances are
> the user already HAS one of those.

I wouldn't count on people having this. Some places ask me to sign in with my 
FB account. I don't have one and the idea of expecting me to have one is 
rather obnoxious. I also doubt if it is wise to outsource security to a third 
party.

>
>> If you use password authentication for user accounts, then base your rules
>> on your needs.  Site owner/Super Admin/Developer accounts should require
>> complex passwords and two factor authentication.  Day to day site manager

And offer more options for the second factor. For example, I do not have a 
smartphone (yes, saves a lot of money every month). So unless you can figure 
out how to send an SMS to my landline forget it. In 2014 it should be possible 
to dial my phone and use voice recognition to confirm a pass phrase.


>> accounts most likely only need complex passwords[based on potential damage
>> of a compromised account...if a site manager can give out refunds and
>> credits for an e-commerce site, obviously you want to add extra security!]
> Yes, for these things, you almost certainly want a second layer of
> authentication atop the ones above. For these, little crypto keyfobs are
> great. If the potential financial loss is large, the client should not balk at
> the relatively small cost.

I agree, but in best US fashion the industry miserably fails at agreeing on a 
standard here. Then again, with any of these fobs you are authenticating the 
fob, not the person holding the fob. For that you'd need biometrics which is 
yet another can of worms.

>
>> Every time I browse around to some interesting looking website where I have
>> to "create an account" to access something I get increasingly upset at those
>> sites trying to force their idea of security on an account that I don't care
>> about.  If I decide I want to actively use the site and am giving it
>> sensitive information, I will change that password to something complex.  If
>> I never return to that site, then I don't care about the account.

Depending on the site I either use BugMeNot.com or sign up using MaskMe and 10 
minute mail. If I find the site / service to be worthwhile I close the fake 
account and craft a real one.


> More and more people just use "I forgot my password", and deal with it that
> way. Either you've exchanged the password for a security question, or just
> access to a user's email.

That's because passwords suck! As do password managers which end up being the 
single point of failure (I do use them anyway). As mentioned above, it is sad 
that after over 50 years of client/server computing there is nothing better 
than and as accepted as user names and passwords.


David