Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 3 Sep 2016 18:00:03 -0500
From: "Denny O'Breham" <obreham@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Authentication process

'Complexity' is the rules that are required for passwords such as minimum
length, lower & upper cases, digits and special characters.  More and more
passwords have to pass a 'strength' test before being accepted (ex.:
blacklist) and if you look at the video in my previous email, some want to
forbid certain patterns.

With 'trusted' I refer to the fact that no matter how you will restrict the
password that are allowed, people will always find some sort of pattern to
help memorizing it.  Even if you ban the most popular patterns of today, it
seems that we think so much alike that we will all choose the exact same
next pattern available ... until it will be ban as well.  People who cracks
those password will then just follow the trend.

Thus my comment, "user-defined passwords could never be trusted" and only
truly random passwords should be used, such that a pure brute force attack
is the only solution for guessing a password.  But there are not
user-friendly, especially ones with enough entropy to withstand the brute
force attacks of powerful machines.

On Sat, Sep 3, 2016 at 4:53 PM, e@...tmx.net <e@...tmx.net> wrote:

> Your Password Complexity Requirements are Worthless -
>>
>
> what is "password complexity"
>
>
> I came to the conclusion that user-defined passwords could never be
>> trusted.
>>
>
> what do you mean "trusted"
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ