[nycphp-talk] Relax your password rules
Gary Mort
garyamort at gmail.com
Tue Jun 10 15:05:02 EDT 2014
On 06/09/2014 11:02 AM, Chris Snyder wrote:
>
> More and more people just use "I forgot my password", and deal
> with it that way. Either you've exchanged the password for a
> security question, or just access to a user's email.
>
>
>
> For casual access, it's okay to just skip the password field
> altogether and use a token sent to email or sms as an authenticator.
> If you're building something that a user is only going to log into
> once a month or less, it may be less annoying to them to do an email
> roundtrip then it is to create yet another password.
>
> At the other end of the spectrum, I preach the gospel of the password
> manager to anyone who will listen.
>
Depends on the password manager and the person. Password managers
which store everything locally have the risk of losing the file.
Password managers where the data is stored in the cloud means that in
all likelyhood all network traffic to and from that cloud server has
been archived by one or more organizations. While the data archived is
useless today, ten years from now it may be trivial to crack for them.
Personally I'm not concerned about this, but then I am an introvert and
not very involved with the world. :-) Someone active in a group like
Amnesty International might be more concerned. And someone associated
with political dissidents in China would defnitely have a good reason to
be concerned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20140610/326d789e/attachment.html>
More information about the talk
mailing list