Date: Thu, 7 Apr 2016 23:37:39 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: Re: Password creation policies > To avoid confusion, let me start by defining what I mean when talking > about password creation policies vs password creation strategies. > > A password creation strategy is an individual's approach to password > security. It involves their own sense of how to pick a password, where > to use it, where to store it, etc. > > A password creation policy is an organization's rules governing password > usage. These are exactly my definitions, I have implied and failed to articulate. > To respond to your point, yes policies can be viewed as marketing and > coercion. Making people wear seat-belts in cars could be classified the > same way. Exactly! (by the way, seat-belts should not be enforced as long as the driver is alone in the car, same with the "P. policies") My point is: The p.policies discussion can not precede p.strategy discussion. When we are done with defining "password strength", then we can talk about p.strategy, and only when we figure out a good strategy, then we can try to build a p.policy on top of it. > Rules can be good or bad. Part of the effort to > make sure they are the least burdensome as possible while achieving > maximum benefit requires open dialog about them though. taking in account "state of the art" the best move here and now is to trash all present p.policies. quote: "Shannon Entropy based policies provide no actionable information for the defender, while being overly burdensome..." [i forgot the rest] I only want to add WHY exactly this is the case, because (a) S.Entropy is based on a GUESS: "the universum of expected outcomes" which is outright irrelevant to our problem. (b) policy creators are retarded and instead of bottom-limiting the length they attempt to extend the alphabet which is plainly futile. (all in all they took a wrong measure and failed to implement it) -Eugene
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.