[WikiEN-l] Empty passwords
Neil Harris
usenet at tonal.clara.co.uk
Thu Dec 15 21:50:01 UTC 2005
By mistake, I seem to have logged in as another user. I was typing my
username, when my finger slipped and I logged in before I had either
finished typing my complete username, or any password whatsoever.
It seems that the user I accidently logged in as has an empty password.
* is this really possible, or have I made a mistake?
* if this really is so, this is a moderate-sized security hole, because
this has the same dangers as accounts with publicly accessible
passwords, which are generally held to be a case for block-on-sight.
It would probably make sense to check for zero-length passwords at
account creation time,
and to scan for zero length and other trivial passwords on existing
accounts, if possible, and issue a warning that they will be locked if
the user does not change their password after (say) a month.
It would also make sense to try to enforce a simple password-checking
routine, to make sure that users from now on can only set passwords that
are at least slightly stronger than a single dictionary word (two short
words are a surprisingly effective measure in terms of bang-per-character).
-- Neil
More information about the WikiEN-l
mailing list