Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2016 22:36:06 +0200
From: Per Thorsheim <per@...rsheim.net>
To: passwords@...ts.openwall.com
Subject: Re: GMOs And Passwords

Den 24.08.2016 22.28, skrev e@...tmx.net:
> On 08/24/2016 10:22 PM, Scott Arciszewski wrote:
>> On Wed, Aug 24, 2016 at 4:18 PM, e@...tmx.net <mailto:e@...tmx.net>
>> <e@...tmx.net <mailto:e@...tmx.net>>wrote:

>> ​On one side, I can see how "don't
>> ​reject any values" could lead to more work for attackers.
>>
>> On the other, if they're certainly going to guess 123456 and password,
>> maybe we shouldn't allow users to use those strings in the first place?
> 
> it is that almost all policies that reject 123456 also reject very
> sophisticated very personal and enormously strong passwords.
> 
> this rejection is uncontrollable you can not guarantee that your policy
> does not reject: "on the second day of waning moon my granma baked
> seventeen cup cakes with swastika frosting"

I'm sorry, I didn't see your definition of "policy" here. Are you
talking about a written policy, a technically implemented policy, or a
password strength meter?

A written policy, just like a technical policy implementation, can be
written and configured so that it specifically rejects 123456, and
nothing else.

I wouldn't be surprised if the smarter guys in here could develop a
password strength meter (or "filter", if you prefer) that would block
123456 and guarantee you nothing else would be blocked.

Personally I prefer thinking of a policy as a description of a desired
state, and NOT as law or rules that you MUST at all times be 100%
compliant with.

-- 
Best regards,
Per Thorsheim

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ