AD and enforced password policies

Michael Thomas mike at mtcc.com
Tue Jan 3 07:31:12 CST 2012


On 01/03/2012 05:09 AM, Greg Ihnen wrote:
> A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg 

I've been doing something with my site/app (phresheez) that is helpful
on that front: instead of having them use their password, the app auto-generates
a password for the user instead. I did this mainly for convenience -- users
hate typing on their phones -- but it has the nice property that you don't
have a domino effect if a password on my site is compromised. Since most
browsers auto-remember your passwords anyway, it even works in the web
world too.

For most need-to-join sites, I think this is a pretty reasonable solution. Maybe
not for, oh say, financial sites where password recovery is a little bit scarier,
but for the run of the mill app/site... it seems that this solution at least
solves the domino problem.

Mike



More information about the NANOG mailing list