From: mplong@gmail.com

I'd like to suggest maybe not using O/0 and l/1 in the auto-generated passwords, as it can be a bit confusing depending on the terminal/font

Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of emailing forgotten passwords, have
a method to reset the password, perhaps with a validation token.

--- SoupGate-Win32 v1.05
* Origin: www.darkrealms.ca (1:229/2)

From: bob.roberts@HOVAL.remove-t30-this

To: Michael Long
Re: Password Ideas
By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am

Also obviously it is a product of its time, but at some point it might be

nice to encrypt the passwords and also instead of

emailing forgotten passwords, have a method to reset the password, perhaps

with a validation token. --- Synchronet 3.18c-Win32

I'm a bit concerned about the plaintext user password storage as well. But most accounts are created via Telnet which isn't encrypted either... so not sure if its a big win or not. I know Mystic uses PBKDF2 with SHA512-bit hashing.


|08~|07Bob|06Rob|08~


... Profanity is the one language all programmers know best.

---
þ Synchronet þ Halls of Valhalla <> San Francisco <> hovalbbs.com
--- Synchronet 3.18c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net

--- SoupGate-Win32 v1.05
* Origin: www.darkrealms.ca (1:229/2)

From: digital.man@vert.synchro.net.remove-puk-this

To: Bob Roberts
Re: Password Ideas
By: Bob Roberts to Michael Long on Thu Oct 15 2020 01:23 pm

Re: Password Ideas
By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am

Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of
emailing forgotten passwords, have a method to reset the password, perhaps with a validation token. --- Synchronet 3.18c-Win32

I'm a bit concerned about the plaintext user password storage as well. But most accounts are created via Telnet which isn't encrypted either... so not sure if its a big win or not. I know Mystic uses PBKDF2 with SHA512-bit hashing.

My understanding of key derivation functions (e.g. PBKDF2) is that nothing can reliably reconstruct the original cleartext (password). This means that the user's password could not be used for protocols with authentication schemes that require the
original password to be known on the server (e.g. CRAM-MD5).

We've discussed password encryption here a few times over the years, but we always kind of end up back where we started: we can't really introduce password-security (i.e. even the sysop could never discover a user's actual password, so long as secure
protocols were used, e.g. SSH, HTTPS) without eliminating some existing functionality.

digital man

Rush quote #41:
Angels and demons dancing in my head, lunatics and monsters underneath my bed Norco, CA WX: 96.1øF, 17.0% humidity, 7 mph N wind, 0.00 inches rain/24hrs
--- Synchronet 3.18c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net

--- SoupGate-Win32 v1.05
* Origin: www.darkrealms.ca (1:229/2)

From: mro@BBSESINF.remove-1uu-this

To: Michael Long
Re: Password Ideas
By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am

From Newsgroup: alt.bbs.synchronet

I'd like to suggest maybe not using O/0 and l/1 in the auto-generated passwords, as it can be a bit confusing depending on the terminal/font

Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of emailing forgotten passwords, have a method to reset the password, perhaps with a validation token.

i disagree with your first request but support fully your requests on passwords ---
þ Synchronet þ ::: BBSES.info - free BBS services :::
--- Synchronet 3.18c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net

--- SoupGate-Win32 v1.05
* Origin: www.darkrealms.ca (1:229/2)