Most of my users cant even type these passwords in, let alone remember them for more than 10 seconds...
A user really should not need to remember a password that YOU or your SYSTEM generated. They just need to be able to type it once, and then define a password for THEMSELVES. Two benefits: (1) you have less liability if you don't know their passwords, and (2) they can design passwords that they can remember.
Security and Convenience are typically opposed. The easier, the weaker. The stronger, the more complicated. The challenge is not in developing secure rules, but in encouraging secure behavior. Make the rules too strict and the users will break them (password on PostIt). Make the rules too lax and the users will drive right through them (password eq userid). Help them understand the implications of security and liability, and how to choose strong yet mnemonic passwords on their own.
Update: Yes, I implied but didn't stipulate that the best practice is to generate a use-once password and force a password change.
--
[ e d @ h a l l e y . c c ]
In reply to Re: Words without a Dictionary
by halley
in thread Words without a Dictionary
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |