Underdistress
My Photo

« Phishers get big mileage by using info that looks credible | Main | ;login article: ICANN's Security Stability and Resiliency Plan »

Friday, 05 February 2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Thanks for this pointer. I will download the script and give it a try.

You raise a good point about online password testing tools: a test script or application hosted on a web server does create a possibility of a man in the middle attack, where the password you are composing or checking is intercepted or captured by a bad guy. To minimize this, I suggest that you use such password generators to compose a password of desired composition and length, but then change the suggested password a bit before you actually put it to use. If you are really concerned, use a client side password generator such as the ones I've mentioned.

I just wanted to bring to your attention my little javascript password generator: http://hype-free.blogspot.com/2010/04/updated-yarpg.html

It has at least three advantages:
- Customizable (length, character set)
- It is all client-side, so you don't have to worry (that much) about MITM attacks
- Given that it is fully client side, you can do a code review instead of placing your trust in some server

Thanks for this observation. Everyone is capable of remembering passwords, the trick is to learn to compose passwords you alone will remember. Alternatively, create one very strong password. Use a random password generator to create passwords for all your accounts, and store these in a password vault or safe (many such applications exist).

You can follow me on Twitter at securityskeptic

Users will still have problems with remembering passwords. Which brings about writing passwords on 'post-it's and sticking them on your monitor!

Do you have a twitter account? I'd like to follow you.

The comments to this entry are closed.