Date: Thu, 7 Apr 2016 17:03:08 -0400 From: Matt Weir <cweir@...edu> To: passwords@...ts.openwall.com Subject: Re: Password creation policies Ah, this is much better than Twitter. Thanks Solar for setting up this mailing list! >> We must abandon the entire notion of a "policy", if we want a serious >> discussion about passwords. >> The "password creation policy" concept is deeply MISLEADING. It confuses >> all our objectives and analytical tools with marketing and coercion. To avoid confusion, let me start by defining what I mean when talking about password creation policies vs password creation strategies. A password creation strategy is an individual's approach to password security. It involves their own sense of how to pick a password, where to use it, where to store it, etc. A password creation policy is an organization's rules governing password usage.The reason why we have password creation policies is an organization might have different thoughts, goals, or risks than an individual. The same thinking goes into why most companies have a dress code policy vs relying on individuals' clothing strategies. If they don't, Bob from accounting is going to show up in something totally inappropriate. As a side note, password creation policies can further be broken down into written polices and enforceable polices, and the Venn diagram of those two doesn't always overlap. A good example of that is the policy to not share passwords between sites. You can tell uses not to do that, but short of assigning everyone passwords, enforcing that is problematic... There's solid discussions to have about both topics, and both topics are important. At the end of the day though, all talk about password creation strategies really is advice to individuals. "You should use a password manager", "You should use unique passwords", "You should create a strong password and here are some tips on how to do that", etc. Password policies on the other hand focus on what rules organizations should put in place and how they should enforce them. That's part of the reason why topics about password strength tend to move to discussions about password policy. Most people don't care about passwords. '123456' is the most popular password for a reason. The question then shifts to what organizations should do to protect themselves and their users from users picking bad passwords. That's a policy question. To respond to your point, yes policies can be viewed as marketing and coercion. Making people wear seat-belts in cars could be classified the same way. Heck, making sure airplane pilots aren't drunk also falls under that category. Rules can be good or bad. Part of the effort to make sure they are the least burdensome as possible while achieving maximum benefit requires open dialog about them though. Matt aka @lakiw Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.