Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2016 22:25:33 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: GMOs And Passwords

On 08/24/2016 10:22 PM, Scott Arciszewski wrote:
> On Wed, Aug 24, 2016 at 4:18 PM, e@...tmx.net <mailto:e@...tmx.net>
> <e@...tmx.net <mailto:e@...tmx.net>>wrote:
>
>     [insult skipped]
>
>         But how we as service developers can automate checks for such
>         kind of
>         advices? Should we?
>
>
>     we should NOT!
>
>     (1) it is completely different area of responsibility.
>     do not mess with the users' free will.
>     expending of your "care" beyond the boundaries of your responsibility
>     always cases more trouble than good.
>
>     (2) an ideal password should FAIL all checks.
>     checks are LIMITATIONS.
>     a password that complies to a policy is worse than a password that
>     does not.
>
>
> ​On one side, I can see how "don't
> ​reject any values" could lead to more work for attackers.
>
> On the other, if they're certainly going to guess 123456 and password,
> maybe we shouldn't allow users to use those strings in the first place?

ref to (1)

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ