Re^6: Replacing crypt() for password login via a digest

in reply to Re^5: Replacing crypt() for password login via a digest - looking for stronger alternative
in thread Replacing crypt() for password login via a digest - looking for stronger alternative

The password is really bad, it can be found in every dictionary, and just adds one non-alphanumeric character.

A few years back i got into really hot water with some users. Instead of a fixed "3 numbers, 4 characters, one special character" type of passpord, the systems i developed started using a complexity score thing. Somewhat secure "random" passwords could get away with about 10 characters. Using things like part of the username, your real name and stuff like that would come with a steep penalty, requiring a much longer password.

Needless to say, some users were pissed about the fact that i "required a 40 character password" and that they "can't use their favourite password and refuse to remember a new one". Shame it's not in my power to fire people or force them to sit through a three week class on basic computer security.

perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'

Comment on Re^6: Replacing crypt() for password login via a digest - looking for stronger alternative Download Code

Replies are listed 'Best First'.
Re^7: Replacing crypt() for password login via a digest - looking for stronger alternative by afoken (Chancellor) on Jun 17, 2021 at 16:38 UTC
Shame it's not in my power to fire people or force them to sit through a three week class on basic computer security. That's one point where I may have an advantage: We had a security incident last year, were a trivial passwort was guessed and used to send out spam from our systems. It was mainly annoying, because the provider we use to send out mails (smarthost) simply locked our SMTP account after a few mails. And I will simply send out a short presentation about passwort security to everyone. Just a few sheets, should take no longer than a few minutes to read and understand. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply]

Replies are listed 'Best First'.

Re^7: Replacing crypt() for password login via a digest - looking for stronger alternative
by afoken (Chancellor) on Jun 17, 2021 at 16:38 UTC

Shame it's not in my power to fire people or force them to sit through a three week class on basic computer security.

That's one point where I may have an advantage: We had a security incident last year, were a trivial passwort was guessed and used to send out spam from our systems. It was mainly annoying, because the provider we use to send out mails (smarthost) simply locked our SMTP account after a few mails.

And I will simply send out a short presentation about passwort security to everyone. Just a few sheets, should take no longer than a few minutes to read and understand.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

[reply]

In Section Seekers of Perl Wisdom