On Tue, Dec 28, 2010 at 11:51 PM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: > On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote: > >> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: >> >> > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: >> > >> >> Specifically: >> >> >> >>>> Dotan Cohen wrote: >> >>>>> I seem to have an issue with users who copy-paste their usernames and >> >>>>> passwords coping and pasting leading and trailing space characters. >> >> >> >> Users should not be copy-pasting passwords or usernames. Do not compromise a system to cater to bad [stupid, ignorant, you pick] users. If this is an issue then educate the users. >> >> >> > >> > Wrong. I use a program called pwgen to generate passwords for me, which >> > I cannot remember. I use another program I built to store them in an >> > encrypted file. When I have to supply a password which I've forgotten >> > (as usual), I fire up my password "vault", find the password, and paste >> > it wherever it's needed. Users would be wise to follow a scheme like >> > this, rather than using their dog's name or somesuch as their passwords. >> > >> > Paul >> > >> > -- >> > Paul M. Foster >> > http://noferblatz.com >> > >> >> What is "wrong?" That users should not be copy-pasting passwords or don't compromise the system? >> >> I agree that users should not use weak passwords, but not everyone goes everywhere with a vault. I am more then capable of memorizing 20 or so 16-32 character full set passwords. >> > > And so you assume everyone can do that? I can remember maybe 5 of the > passwords I regularly need. (I rarely repeat passwords for different > sites.) In addition, some passwords have been *assigned* to me and > cannot readily be changed (and are usually difficult to remember). Many > of the rest I so seldom use that it would be silly to try to remember > them. Particularly when I do have a password-locked file I can use to > record them for me. > > Under the circumstances I described, I have yet to hear in what way > copying and pasting passwords compromises security of anything by > itself. Please enlighten me. Correct me if I'm wrong, but If you initially type the username and password into a file, and you have, in my paranoid scenario, a keylogger you don't know about, it get's logged, but also, i assume it would get logged if you typed it in as well, on the site, or that someone could lift the password if given the authority on your system, correct? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
