Is generating passwords bad practice?

Reamer Fanny

I am working on a user login and register system and I have two options as far as creating passwords either I generate a random alphanumeric password and mail this to the user or allowing the user to choose their own password and activate their account via a link, I would prefer to just generate a random string either six or eight characters long but I have heard this is bad practice what are your opinions on this? I understand I can't make the system bulletproof but I'd like it to be strong enough to deter hackers

fasty

I think it's more sending a password via email, which usually implies you are storing it in plaintext or some easily reversible hash server side. Email isn't exactly secure.

Why not set the password to expired right away, so the user logs in with the generated password and reset it right away.

Ricky91t

Users will always remember a password they've created better than one sent to them. As well as that depending on your site this could be dangerous having a password on their phone/laptop/email client. It's better and nearly just as easy to confirm a random string with a script on your site and it allows them to have their own password.

ocallagh

Let the user set their own password but make sure it's of medium strength.

srsly78

If you set the password policy too strict users just end up writing their password down or storing it in file. So it's kinda self-defeating. There is a "happy medium" somewhere in the middle.

Also, requiring frequent password changes just leads to:

complexP4ssw0rd1
complexP4ssw0rd2
complexP4ssw0rd3
complexP4ssw0rd4 etc etc

Giblet

Well, If I knew someone who had registered on the site, or even just randomly, I could go changing their password for the craic, and they'd have to access their email to get the new one. It actually came up as an issue for some of the pen tests we had done recently, as some guy was testing on a mobile and couldn't login for some reason, and couldn't get to his email to get his password as one of the other testers had entered his email into our old forgotten password section.

We now use a confirmation email with an expiring link.

Reamer Fanny

Thanks for the prompt replies, I think I will allow the user to choose their own password and enforce a moderate policy for example;

• Comparing their password to an array of common passwords and denying or allowing them to have that password based on it's complexity.
• Enforciing a minimum of 6 characters.
• At least one uppercase character, number and/or symbol.

If the user chooses to reset their password, it will generate a temporary password and encourage the user to change this at the next login. I would like to make the register/login process as hassle free as possible so the user doesn't lose interest.

tehjimmeh

string genPassword()
{
   switch(rand()%4)
   {
      case 0:
         return "love";
         break;
      case 1:
         return "sex";
         break;
      case 2:
         return "secret";
         break;
      case 3:
         return "god";
         break;
   }
}

JimmyCrackCorn

Generally its password storage thats the issue. A salted hashed password in the database is a better approach.

Columns (UserID, UserName, Salt, Password, IsEnabled.....)

Allowing the user to specify the password at account creation is not bad practice.

Last time I designed a login system I went with the above approach.

Reamer Fanny

JimmyCrackCorn wrote: »

Generally its password storage thats the issue. A salted hashed password in the database is a better approach.

Columns (UserID, UserName, Salt, Password, IsEnabled.....)

Allowing the user to specify the password at account creation is not bad practice.

Last time I designed a login system I went with the above approach.

I think this is the best approach, I wouldn't store the password in plain text. On the registration form I may use Ajax on the password field to compare their entry against a table of common passwords in the database and deny if there is a match, this would encourage the user to choose a more unique password.

Esel

If you e-mailed me a password which I had composed myself, I would have to ki.... DDoS your site.

Seriously, that's a BIG no-no.

Reamer Fanny

Esel wrote: »

If you e-mailed me a password which I had composed myself, I would have to ki.... DDoS your site.

Seriously, that's a BIG no-no.

Not entirely what I am going for, I proposed the user chooses their own password on initial registration if they forget their password a random string password (upper and lowercase) would be generated and emailed to them and they would be forced to change their password at next login, it's a similar system here on boards I think.

Hellm0

On account creation - User enters their own password, you salt it and store the hash in your db. Whenever users log in, you compare against this.

When user forgets/wants to reset password - Send and email to their account with a key which either references (in db) or contains (bad?) a time span and reference to the users account. If the link is used outside of the given time span it will not work. If it is within timespan, allow user to change password once(invalidate link after change).

Never store the actual password, just the hash. Never send the user a generated password, or if you do then it must be a one time only(ie they need to change password upon login).

Reamer Fanny

I've got a fairly solid system setup now, thanks for all the advice

Sparks

Emailing passwords in the clear by email? Yeesh. Teach your users that pwgen is their friend, even if they do wind up writing down the password in a notebook somewhere (physical security is a lot easier to handle than electronic security because you can just throw money at it to get it done and, being physical, there's something to point to when management wants to know what it just paid for).

Reamer Fanny

Sparks wrote: »

Emailing passwords in the clear by email? Yeesh. Teach your users that pwgen is their friend, even if they do wind up writing down the password in a notebook somewhere (physical security is a lot easier to handle than electronic security because you can just throw money at it to get it done and, being physical, there's something to point to when management wants to know what it just paid for).

Haven't got around to the 'forgot your password' function yet what I have created is the bones of the system i.e passwords salted and one way hash is stored in the database. Everytime a user registers a unique timestamp is generated and stored in the database(set to expire in one hour) activation link is sent to their email address timestamp and form token are validated if the user is valid they can now login, I have still got a lot more to do and security will always be a concern.

voxpop

Sparks wrote: »

Emailing passwords in the clear by email? Yeesh.

Doesnt boards do this ??

Reamer Fanny

Last time I reset my password here it was in plain text you also encouraged to change it at next login(but not forced)