Re: Usability issue when forced to change password when logging in to a system

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 




On 2015-01-24 03:46, Nico Kadel-Garcia wrote:
On Fri, Jan 23, 2015 at 10:50 AM, Peter Stuge <peter@xxxxxxxx> wrote:
...
So I am wondering if there is any reason for doing like this?
Data hygiene is one.
Also, in my opinion as more of an admin than a developer, any bug in a
routine that stores psswords temporary in plain text is *begging* to
have a bug or get an unexpected modification that publishes the
passwords somewhere else.  Basically, never handle or store dangerous
information that you don't *have* to store.

There is always a need to strike a balance between security and usability. Sometimes it is missed that good usability also gives good security...

What about changing the dialog like this? (The instructions matches better what it is the system wants to user to actually do, that is first enter the old password and then start thinking about the new password.)

Login As: Foobar
Password:
Your password has expired. Retype your old password.
Old Password:
Choose a new password.
New Password:
Retype your new password
New Password:

Could this be implemented without the need for caching any password (old or new) in clear text?


/John
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux