لطفا منتظر باشید ...
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to and click on the form. You will also gain access to thousands ofotherFAQs at ITFAQnet.com.
1. | Which hashing algorithms are bundled within the .NET Framework? |  |
2. | Should I automatically generate passwords with totally random characters to make sure their passwords are secure? | |
3. | What should I allow for a maximum password length? | |
4. | My Web forum page is completely dependent on showing usernames. How can I prevent others from harvesting these usernames? | |
5. | I operate a Web application that contains very sensitive user financial information. Should I force users to change their passwords every 30 days to ensure maximum password security? | |
6. | After a password reset, what is the point of putting a link in the e-mail rather than the actual password? If a hacker can access the user’s e-mail, he can just as easily access the link in an e-mail. Why not just e-mail the user a temporary password? | |
7. | Are temporary passwords bad? | |
8. | What is the best way to get users involved in security? | |
9. | Where can I obtain some word lists for checking user passwords? | |
Answers
1. | MD5, SHA1, SHA256, SHA384, and SHA512. |
2. | Many people believe that generating completely random passwords will best protect users. But keep in mind that it is extremely difficult for users to remember a random password such as jD4nWpa8v, likely requiring them to write it down. Perhaps a better solution is to create a more memorable password made up of multiple random English words and punctuation. Users are more likely to remember these passwords, and you can even get away with giving users longer passwords. |
3. | If you are using a hashing algorithm, the hash itself is a fixed length, regardless of the size of the password. In other words, a seven-character password produces a hash the same length as a 200-character password. So if you use password hashes, you do not need to enforce a maximum password length. |
4. | Some Web applications are based on user interaction and cannot completely prevent username harvesting. To counteract this potential danger, allow users to change their usernames and set aliases for their accounts. |
5. | This is the most secure policy, but it could cause users to find measures to circumvent this inconvenience by writing down passwords or following predictable patterns. A better solution is to encourage stronger passwords and allow users to keep them longer. |
6. | It is true that a link in an e-mail is just accessible as the password itself, but there are other reasons for doing this. First, it establishes a secure communication channel when the user clicks the link. Second, it allows the Web server to record the client’s IP address and time of visit. Third, it prevents the user from saving an e-mail containing the password. And finally, if the user no longer owns the e-mail account or if the e-mail is routed incorrectly, it prevents others from obtaining the user’s password. |
7. | Temporary passwords are not bad, as long as you force them to be temporary. The best technique is to mark them as already expired so that when a user logs in she is forced to immediately change her password. |
8. | The best way to get users involved is to allow users to discuss security in a public forum or via a mailing list. Such a forum is a great way for your organization and your users to discuss current security issues. But be careful to monitor the forum, since they are sometimes used as a way to social-engineer users into revealing their passwords. A fraudster once posted phony support phone numbers at an online payment support forum, instructing users to call those numbers to report security incidents. If someone called those support numbers, the fraudster on the other end first asked them to “authenticate” themselves by revealing their passwords. |
9. | Visit www.gattinger.org/wordlists/downloadl or http://neworder.box.sk/codebox.links.php?key=passdict. |
