On Tue, 26 Jan 2010 23:14:31 -0800, Paul Rubin wrote: > "Mallikarjun(ಮಲ್ಲಿಕಾರ್ಜುನ್)" <mallik.v.ar...@gmail.com> writes: >> Since this is my first app/program, can someone review my code (just >> over 150 lines) and help me improve my programming capabilities > > I didn't look at the code. From a security point of view, the concept > of "password strength checking" is pretty dubious. If you want secure > passwords, generate them from a random number source
But why do they need to be random, if password strength is dubious? *wink* > and assign them to > the users. Don't have the users make up their own passwords. It's > relatively (compared to using a computer file exposed to remote internet > attacks) for users to write down the the random passwords on paper, as > long as they're a little bit careful. I think you're missing a word there. Relatively secure perhaps? The problem is that most users will not be a little bit careful. They will stick the password on a Post-it note on the side of the monitor, or write it down and lose it, or leave the paper sitting on their desk while they go to lunch. > As Bruce Schneier put it: > > "My wallet is already a secure container; it has valuable things in > it, and I have a lifetime of experience keeping it safe. Adding a > piece of paper with my passwords seems like a natural thing to do." And people frequently lose their wallets. Besides, with the number of on-line identities and passwords many people need, you'll need a separate wallet just for the passwords. I have something of the order of 80 or 90 passwords written down, and another dozen in my head. Because there are so many, I need to keep account information with them: there's no way I'd be able to remember what the passwords were for otherwise. That's way too much to put in my wallet, and even if I did, if I lost it, I'd lose *everything*. Not only would some stranger likely have access to all my accounts, but I wouldn't even be able to identify what those accounts were, let alone authenticate into them. So I need at least one (and likely more) password I can keep in my head, so I can encrypt my list of rarely-used passwords. Because it needs to be something I can remember, it can't be a random string of digits, but it needs to *look* random. In other words, it needs to be a good password that is meaningful to me, but not to anyone else, and since I'm really bad at judging randomness (like nearly all humans), I'll take all the help I can get. -- Steven -- http://mail.python.org/mailman/listinfo/python-list
