Date: Fri, 8 Apr 2016 08:36:27 +0200 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: Re: Password creation policies Den 07.04.2016 23.01, skrev Patrick Proniewski: > Hi all, > > On 07 avr. 2016, at 22:50, Per Thorsheim wrote: > >> Ah. By "password creation policy", I think of some sort of rules >> for ordinary humans to create passwords that are "strong enough" >> (accepted by the system where they are to be used), AND memorable, >> as we still prefer and have to comply with EULA, standards & even >> law saying we are not allowed to write down our passwords. >> Something I'm trying to change btw. > > > Do you have some pointers to countries with law banning the > write-down of passwords? Received from an employee at a Polish university in spring of 2014: -- Just for your information (to add to the curiosities list), I have found the formal reason for the requirement to change passwords every 30 days - it is the regulation issued by the Ministry of Internal Affairs and Administration in Poland, and it applies to all IT systems processing personal data. Full text in Polish is here: http://www.giodo.gov.pl/plik/id_p/521/j/pl/ The interesting phrase is in the attachment, point 4.IV.2: "W przypadku gdy do uwierzytelniania użytkowników używa się hasła, jego zmiana następuje nie rzadziej niż co 30 dni. Hasło składa się co najmniej z 6 znaków." Rough translation: "In case when users are authenticated by password, the password must be changed no less than once every 30 days. The password must be at least 6 characters long." -- > I'm CISO in a french university, and I officially tell my users they > can write down their new password as long as it stays hidden in their > wallet, and as long as they destroy the paper when they are confident > they memorized it. We also provide our staff with a self hosted > password storage web application. Sounds fair to me. I don't know you, your students or your university, so I cannot do your risk analysis. In our paranoid world it still is important to remember that most people don't want to become criminals even if the opportunity exists. > patpro Per @thorsheim
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.