[Owasp-leaders] Another take on Passwords

Jim Manico jim.manico at aspectsecurity.com
Fri Jan 23 04:00:05 EST 2009

> Should OWASP have some "project" that is a UI component that will allow a user to tell the strength of chosen password (I think Yahoo does something similar but could be better)
Sounds cool. Most JavaScript libraries have a component of this nature available to some degree, but it would be cool for OWASP to verify the policy they use, as well as build our own. We can't really just build one JS comonent and have that work for everyone - the JavaScript component world is fractured into JQuery, Google's lib, MS's lib, Yahoo's lib, and others. Perhaps we could just offer a little OWASP JavaScript function that does a simple configurable password policy check?!

>  I would argue that weak passwords is less of a problem that weak password reset routines. 

I agree, but only in the case where the application is using some kind of account lockout policy in order to stop brute force attacks. Weak passwords are very easy to brute force. And brute forcing is easy. :)

> Think about how easy it was for some Yahoo's to jack Sarah Palin's email. There is no sound guidance on developing reset mechanisms of any credibility. FYI. This is what I am noodling today as part of my day job

Now, the Palin hack only happened becuase of 2 factors

(1) She used easy questions and

(2) She did not have her account attached to a secondary email address 

If either of these things were not true, I suspect her account would never had been compromised. Plus, she was using a webmail account to do official state business? That's stupid (and possibly illegal).

But I do agree with your conjecture that password administration features can be critial show-stopping problems! 

> Why are we still using passwords to protect web applications. How come the OWASP crowd isn't backing federated identity, Cardspace, etc?

These solutions are so expensive to roll out! The complexity and cost of client-side key management is not something small business websites can afford. Especially if you are consumer facing. But I agree we should be pushing it in the enterprise space. Heck, paypal offers a keyfob.....

Yea, you are right, James. The era of the password is really over. OWASP really should be pushing multi-factor auth.

- Manico
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090123/a0aa36ed/attachment-0001.html 

More information about the OWASP-Leaders mailing list