Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 00:20:20 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Password creation policies

On 04/07/2016 11:01 PM, Patrick Proniewski wrote:
> Hi all,
>
> On 07 avr. 2016, at 22:50, Per Thorsheim wrote:
>
>> Ah. By "password creation policy", I think of some sort of rules for
>> ordinary humans to create passwords that are "strong enough" (accepted
>> by the system where they are to be used), AND memorable, as we still
>> prefer and have to comply with EULA, standards & even law saying we are
>> not allowed to write down our passwords. Something I'm trying to change btw.
>
>
> Do you have some pointers to countries with law banning the write-down of passwords?
>
> I'm CISO in a french university, and I officially tell my users they can write down their new password as long as it stays hidden in their wallet, and as long as they destroy the paper when they are confident they memorized it.
> We also provide our staff with a self hosted password storage web application.

B.Schneier made a good point about writing passwords:
"People are highly proficient at keeping small sheets of paper safe... 
in their wallets."

Actually, writing a password on paper is much better than transmitting 
it (over what channel?) to a data storage application.
People have tremendously poor control over computer programs. Contrary 
to this, physical tokens (sheets of paper) included are very well 
controlled by humans.

Besides that, trusting your password to a program raises some certain 
"identity issues": You do not authenticate yourself in this case, you 
authenticate a program. I do not want to allow a program potentially 
impersonate myself.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.