Lab Notes

Glenn Fleishman discusses passwords. Password policy enforcement is tough — as a network administrator, you want your users to have long, unguessable passwords. Your users, on the other hand, just want to use their computers. Basic password testing is relatively easy, just check that the password is long enough (eight characters is a starting point), contains mixed-case characters and at least one number or symbol. Bonus points: check that there are no dictionary words contained in the password. For instance, "1Password!" meets the criteria outlined above, but is not too hard to guess.

If you are stuck with a password-only authentication system (that is, you can't deploy two-factor authentication like smart cards), one solution could be to have administrator-generated passwords. For the new web store we are developing, we have a password reset feature that generates a new password when the user forgets the old one. We used a generator similar to this one, which creates pronounceable passwords that aren't actually words, for instance, "ideffite" and "aternyma". We add some punctuation to mix things up a bit. It's far from perfect, but just about the best we can do under the circumstances — we can't very well require that everyone have a Corriente-issued SecurID token before ordering from our store.