Generate username & password or let new signup create their own? - GoFuckYourself.com

McFly85 · 07-16-2011, 11:22 AM

I wanted to get some different opinions on whether it's better to automatically generate a more secure username and password for a new signup or give them the option to create their own? I currently let them create their own but think I would have far fewer hacks and shared ids if I didn't. Not sure if it has any impact on a sale.

Chosen · 07-16-2011, 11:58 AM

Their own

Barefootsies · 07-16-2011, 12:01 PM

CurrentlySober · 07-16-2011, 12:17 PM

Quote:

Originally Posted by Barefootsies

is that the 'Spock' death grip from star trek?

DWB · 07-16-2011, 12:19 PM

When you generate for them, prepare for an endless amount of support mails because most of them can't remember "76eYfsh25" and never seem to remember they have an email with that pass in it, or the fact that they can set their browser to remember the password.

We cut our support mails down by around 99% when we let them choose their own user/pass. I trust Strongbox will take care of most the hackers and password traders.

EDepth · 07-16-2011, 12:22 PM

I say let the user create their own. They will remember it by heart, won't have to email you asking for it, etc... If they are going to share it with friends, they will whether it's randomly generated or not. Same goes with the hacked accounts, it will be stolen from an end user via some malware either way.

seeandsee · 07-16-2011, 12:23 PM

create by yourself, store somewhere and encrypt

PromoterX · 07-16-2011, 12:40 PM

Quote:

Originally Posted by DWB

When you generate for them, prepare for an endless amount of support mails because most of them can't remember "76eYfsh25" and never seem to remember they have an email with that pass in it, or the fact that they can set their browser to remember the password.

We cut our support mails down by around 99% when we let them choose their own user/pass. I trust Strongbox will take care of most the hackers and password traders.

...and thread closed.... everyone can go home now.

jimmycooper · 07-16-2011, 12:42 PM

Let them create their own.

Barry-xlovecam · 07-16-2011, 01:03 PM

We let them use their own password and then use strong encryption to store it in the database ...

CurrentlySober · 07-16-2011, 01:07 PM

Dont even let the fuckers into your members area in the first place!

Just take their money, and tell em to go fuck themselves...

ZERO PIRACY that way...

Chosen · 07-16-2011, 02:11 PM

Quote:

Originally Posted by CurrentlySober

Dont even let the fuckers into your members area in the first place!

Just take their money, and tell em to go fuck themselves...

ZERO PIRACY that way...

raymor · 07-18-2011, 05:49 AM

We favor a kind of middle ground, and have built a free tool to make it easy for you to do.

When users choose their own, approximately 15% will choose password from the top
10 most popular. These are things like "password" and "123456". The bad guys know
what those top ten passwords are, and they will be guessed. So letting users choose
their own doesn't work too well. At least, not as most adult sites do it. The way
banks do it is a little better - you can choose your own, but subject to certain rules,
so you're not allowed to have "password" as your password. Of course, many sites
are TOO restrictive in their rules -- 8-10 characters, must start with a letter, must not ...
Longer passwords are always better, so 8-10 characters is a dumb rule.

Assigning random passwords also has problems. Paying customers are often people
who are not technically sophisticated enough to find what the want for free, so
they have trouble even TYPING "lI1Kg`O0^}+", much less REMEMBERING it.

The middle ground we use is to assign passwords that are easy for most people to
type and can even be remembered, but are not easy for the bad guys to guess.
The passwords created by our free tool look like words and can be pronounced
like words, so they can be typed. An example would be "betorling". That's easier to
type than "J(dD?/gW", and certainly easier to remember. "betorling" isn't really a
word, though, so it's not in the bad guy's dictionary.

The free password generator can be found at:
https://bettercgi.com/strongbox/passgen/

MaDalton · 07-18-2011, 05:57 AM

Quote:

Originally Posted by DWB

When you generate for them, prepare for an endless amount of support mails because most of them can't remember "76eYfsh25" and never seem to remember they have an email with that pass in it, or the fact that they can set their browser to remember the password.

We cut our support mails down by around 99% when we let them choose their own user/pass. I trust Strongbox will take care of most the hackers and password traders.

i surely dont have thousands of members, but i havent gotten one email yet from someone who forgot his username or password. and i use 16 digit random for both.

raymor · 07-18-2011, 06:03 AM

Quote:

Originally Posted by Barry-xlovecam

We let them use their own password and then use strong encryption to store it in the database ...

The right encryption is important, especially if you use a lot of PHP to drive your
site, as many sites do these days. Especially on a PHP powered site, you have to
assume that the bad guys can see your database. That means that unless the passwords
are properly encrypted, they can see ALL of your passwords. Having thousands of
passwords posted everywhere is not a fun experience, so they need to be encrypted to
keep the bad guys from reading them and posting them. (Technically, they are hashed

So what's the proper encryption? By default, the processors use a type of encryption
called a DES hash. It's used because it's always available, having been a standard
since 1972. In 1972, it was pretty hard to crack. Of course, computers of the time
had 500 kHz processors and 8 KB of RAM. It would take a few years to crack a DES
password, since the 8 bit CPU ran at 0.0005 Ghz. In 2011, with quad core 64 bit
2 Ghz processors, they can be cracked over 80,000 times faster. Running a typical
DES password list on a modern machine gives up passwords in under one second.
So DES is useless, but it's still the default.

For modern attackers, rather than 1972 attackers, you want modern encryption.
Given the Blowfish bug, that means salted SHA if your server supports it or salted
MD5 if not. The geeks who make Linux made it very easy to upgrade your encryption.
All that needs to be done is to adjust your processor's script pass a different salt
value, and we can take care of that for you. Today's encryption is expected to be
solid for another 30 years or so, so in 2041 you can upgrade again.

raymor · 07-18-2011, 08:03 PM

MacFly, Troy just posted a good analysis of what happens when users
choose passwords. The one sentence summary is that they choose easily guessed
passwords 70% of the time.

http://www.troyhunt.com/2011/07/scie...selection.html

07-16-2011, 11:22 AM	#1
McFly85 Registered User Join Date: Jul 2007 Posts: 11	Generate username & password or let new signup create their own? I wanted to get some different opinions on whether it's better to automatically generate a more secure username and password for a new signup or give them the option to create their own? I currently let them create their own but think I would have far fewer hacks and shared ids if I didn't. Not sure if it has any impact on a sale.

07-16-2011, 12:01 PM	#3
Barefootsies Choice is an Illusion Industry Role: Join Date: Feb 2005 Location: Land of Obama Posts: 42,635	__________________ Should You Email Your Members? Link1 \| Link2 \| Link3 Enough Said. "Would you rather live like a king for a year or like a prince forever?"

07-16-2011, 12:22 PM	#6
EDepth Confirmed User Join Date: Nov 2005 Location: Seattle, WA Posts: 510	I say let the user create their own. They will remember it by heart, won't have to email you asking for it, etc... If they are going to share it with friends, they will whether it's randomly generated or not. Same goes with the hacked accounts, it will be stolen from an end user via some malware either way. __________________ ICQ: 275335837

07-16-2011, 12:23 PM	#7
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	create by yourself, store somewhere and encrypt __________________ BUY MY SIG - 50$/Year Contact here

07-16-2011, 12:42 PM	#9
jimmycooper Confirmed User Industry Role: Join Date: May 2010 Location: Manhattan Posts: 4,016	Let them create their own. __________________

07-16-2011, 11:58 AM	#2
Chosen VIPPay.com \| AdultWebSponsors.com Industry Role: Join Date: Aug 2001 Posts: 63,151	Their own

07-16-2011, 12:19 PM	#5
DWB Registered User Industry Role: Join Date: Jul 2003 Location: Encrypted. Access denied. Posts: 31,779	When you generate for them, prepare for an endless amount of support mails because most of them can't remember "76eYfsh25" and never seem to remember they have an email with that pass in it, or the fact that they can set their browser to remember the password. We cut our support mails down by around 99% when we let them choose their own user/pass. I trust Strongbox will take care of most the hackers and password traders.

07-16-2011, 01:03 PM	#10
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	We let them use their own password and then use strong encryption to store it in the database ...

07-16-2011, 01:07 PM	#11
CurrentlySober Too lazy to wipe my ass Industry Role: Join Date: Aug 2002 Location: A Public Bathroom Posts: 38,486	Dont even let the fuckers into your members area in the first place! Just take their money, and tell em to go fuck themselves... ZERO PIRACY that way... __________________ My AI Handywork... My Dream Gal... XXX 👁️ 👍️ 💩

07-18-2011, 05:49 AM	#13
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	We favor a kind of middle ground, and have built a free tool to make it easy for you to do. When users choose their own, approximately 15% will choose password from the top 10 most popular. These are things like "password" and "123456". The bad guys know what those top ten passwords are, and they will be guessed. So letting users choose their own doesn't work too well. At least, not as most adult sites do it. The way banks do it is a little better - you can choose your own, but subject to certain rules, so you're not allowed to have "password" as your password. Of course, many sites are TOO restrictive in their rules -- 8-10 characters, must start with a letter, must not ... Longer passwords are always better, so 8-10 characters is a dumb rule. Assigning random passwords also has problems. Paying customers are often people who are not technically sophisticated enough to find what the want for free, so they have trouble even TYPING "lI1Kg`O0^}+", much less REMEMBERING it. The middle ground we use is to assign passwords that are easy for most people to type and can even be remembered, but are not easy for the bad guys to guess. The passwords created by our free tool look like words and can be pronounced like words, so they can be typed. An example would be "betorling". That's easier to type than "J(dD?/gW", and certainly easier to remember. "betorling" isn't really a word, though, so it's not in the bad guy's dictionary. The free password generator can be found at: https://bettercgi.com/strongbox/passgen/ __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

07-18-2011, 08:03 PM	#16
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	MacFly, Troy just posted a good analysis of what happens when users choose passwords. The one sentence summary is that they choose easily guessed passwords 70% of the time. http://www.troyhunt.com/2011/07/scie...selection.html __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids