Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 23 Mar 2018 23:13:52 +0100
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Submitting Partial Password Hashes to Pwned Password
 Lookup

>>> Telling people the password they have selected has been cracked in the past, when in all likelihood they will then select a password that is just as weak, doesn’t seem a very effective tactic.
>>
>>
>> this bold claim is so stupid on so many levels, i can't even.
> 
> Maybe I wasn’t clear enough or perhaps I am missing something, but in my experience most users have some method or rubric for picking passwords. If an IT system rejects a proposed password because it is on a list of 300 million passwords that have already been cracked, they are likely to keep using the same rubric to pick and submit a different password until they find one that is not on the list. There is little reason to think the final password will be materially stronger than the password initially rejected. I was contrasting this tactic with the 63b suggestion to hash passwords using a hardware protected secret, which fundamentally changes the risk equation by eliminating the use of the hash as an oracle for password guessing. I was not intending to criticize filtering with much shorter lists of very common passwords, such as 123456 or password1, which might be vulnerable to trial login attacks, even with failed-attempt throttling.

you are so amazingly comfortable with assertions,
I envy your confidence.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.