Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 Apr 2016 17:33:28 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Re: Password creation policies

>> instead of bottom-limiting the
>> length they attempt to extend the alphabet which is plainly futile.

> I *strongly* disagree with this statement.

I hope you see that increment in length DWARFS the extension of the 
alphabet in terms of entropy. It should be OBVIOUS to any however 
slightly competent policy creator.
If it is not, then the policy creator is AT LEAST incompetent.
So that i consider your "strongly" to be merely an expression of 
emotions not an argument.


> I'd appreciate it if you kept personal attacks out of
> this discussion.

I do not attack anyone personally -- I do not even know them.
I have shown you already, that the Google's and MS's policies
NEGATE EACH OTHER; and I take it as a clear sign of retardation.
They have absolutely no idea what are they doing, yet they force me to 
do the same nonsense.


> struggled with creating and implementing password policies.

of course they struggle!!!
because they don't know what parameter they are trying to optimize!
they are trying to solve an unknown problem.
That is a struggle, no doubt.


>>(a) S.Entropy is based on a GUESS: "the universum of expected outcomes"
>> which is outright irrelevant to our problem.

> Believe it or not, that's not my issue with Shannon Entropy.

I believe you.
You should immediately reconsider your opinion about S.Entropy.
S.Entropy BY THE VERY DEFINITION is completely unrelated to our problem.


> That being said, I fully understand why NIST went with Shannon Entropy
> since it at least was an attempt to base defensive policies on perceived
> attacker strategies.

but it is not!!!
they do not perceive attacks, instead they assume that their own 
password creation hardships somehow represent the hardships of a 
hypothetical attacker.
(Please take it seriously) entropy characterizes your password creation 
framework (I am absolutely serious) and nothing more!!!
Then comes an attacker and reproduces your password using another 
framework, characterized with much less entropy than yours.
Then comes the panic: "A powerful attack is discovered!!!"
NO.
it is not the attack is so scary powerful, it is your initial 
assumptions are so tremendously deranged.


Password strength is a function of an attack.
Entropy is not, therefore irrelevant.


-Eugene

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.