« First « Previous Comments 77 - 85 of 85 Search these comments
HeadSet saysHow does that work when after three tries the account is locked out?
Maybe not the best example, but the point is, the attack will be much broader than a single user, and weak password requirements mean less guesses before getting a match.
I don't even use a recognizable username on my machine, much less a common password, and "root" is disabled by default.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
<script>code</script>or
<a onclick="...code..."></a>you can easily and robustly thwart most xss vectors and sinks. CSP can potentially be very powerful against xss if you dont mind writing your code in certain ways, such as putting all js in .js files. CSP can support allowing you to use inline script tags safely if you tag each with a random-per-page-load nonce, or tagged with a checksum of the code contents.
It's true, you can make a very strong password with just lowercase. But that's not the point - the policy is used because SOME users will create weak passwords if the system lets them type it in
CSP can potentially be very powerful against xss if you dont mind writing your code in certain ways, such as putting all js in .js files.
« First « Previous Comments 77 - 85 of 85 Search these comments
And if anyone's interested I use Keepass, none of that cloud shit.