Registrations on Websites: User Chosen Password vs. Assigned Password?

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Registrations on Websites: User Chosen Password vs. Assigned Password?

<< < (4/5) > >>

Paul Keith:
Two steps don't really work.

Quoting a Hacker News comment on the link:

Devil's advocate here:

If I can trick a user into submitting their username and password on my site, I can send a request to Google using that username/password and trigger a message to the mobile application. The user continues with the flow, enters the code on my screen, and I now have access to their account, same as before.
--- End quote ---

I don't think 2-factor auth as proposed by Google is designed to prevent man-in-the-middle attacks: http://www.phonefactor.com/man-in-the-middle-attacks
In order to prevent MITM, Google would need to have out-of-band verification (not just two tokens processed on the same band).

The benefit of Google's method is that a password can't be cached for later use, which reduces the window in which an account can be compromised.
--- End quote ---

Seems to be the same thing with the BlizzAuthenticator. Good idea, but I wouldn't use it. You gotta consider what happens if you loose your phone. You can't do any emergency calls and don't even have access to your saved phone numbers anymore. You're also locked out of your Gmail Account for god knows how long. I like my phone, but a little bit decentralizing can never be wrong :)
--- End quote ---

Personally I'm still waiting for a three-step system using image (not text) captcha to profiles to password + interval self-made sets of security questions for certain behaviours. (like there's a secret question if you go and access a certain site or delete/view/revisit a certain amount of e-mails)

The fallback system being that if a user has lost anything or been exposed to any middle of the man attack - they can shut down the attack using their uploaded .jpg/.png image as a key to the nuke and reset button.

Gothi[c]:
This one is easy:

It's just a matter of risk assessment, like anything in real-world security.

A generated password is better.

The chance is FAR greater that a person will chose a weak or reused password than that their email will be sniffed.

In a perfect world, it would be even better if the password is shown to them after signup over https and not emailed.

JavaJones:
What is better in a perfect world and the real world are different. :D What happens when the user forgets their password?

- Oshyan

Ath:
What happens when the user forgets their password?
-JavaJones (February 17, 2011, 02:35 PM)
--- End quote ---

They get slapped on the cheek, and sent to the KeePass website :-[

timns:
What happens when the user forgets their password?
-JavaJones (February 17, 2011, 02:35 PM)
--- End quote ---

They get slapped on the cheek, and sent to the KeePass website :-[
-Ath (February 17, 2011, 02:38 PM)
--- End quote ---

Or slapped on the ass and sent to the KeepCheek site :o

Navigation

[0] Message Index

[*] Previous page

Go to full version