Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2016 16:32:24 -0400
From: Scott Arciszewski <scott@...agonie.com>
To: passwords@...ts.openwall.com
Subject: Re: GMOs And Passwords

http://www.passwordmeter.com/ says:

Score:
100%

Complexity:
Very Strong

I
​'m not sure what your point is?
​
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

On Wed, Aug 24, 2016 at 4:28 PM, e@...tmx.net <e@...tmx.net> wrote:

> On 08/24/2016 10:22 PM, Scott Arciszewski wrote:
>
>> On Wed, Aug 24, 2016 at 4:18 PM, e@...tmx.net <mailto:e@...tmx.net>
>> <e@...tmx.net <mailto:e@...tmx.net>>wrote:
>>
>>     [insult skipped]
>>
>>         But how we as service developers can automate checks for such
>>         kind of
>>         advices? Should we?
>>
>>
>>     we should NOT!
>>
>>     (1) it is completely different area of responsibility.
>>     do not mess with the users' free will.
>>     expending of your "care" beyond the boundaries of your responsibility
>>     always cases more trouble than good.
>>
>>     (2) an ideal password should FAIL all checks.
>>     checks are LIMITATIONS.
>>     a password that complies to a policy is worse than a password that
>>     does not.
>>
>>
>> ​On one side, I can see how "don't
>> ​reject any values" could lead to more work for attackers.
>>
>> On the other, if they're certainly going to guess 123456 and password,
>> maybe we shouldn't allow users to use those strings in the first place?
>>
>
> it is that almost all policies that reject 123456 also reject very
> sophisticated very personal and enormously strong passwords.
>
> this rejection is uncontrollable you can not guarantee that your policy
> does not reject: "on the second day of waning moon my granma baked
> seventeen cup cakes with swastika frosting"
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ