Date: Fri, 8 Apr 2016 17:33:28 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: Re: Password creation policies >> instead of bottom-limiting the >> length they attempt to extend the alphabet which is plainly futile. > I *strongly* disagree with this statement. I hope you see that increment in length DWARFS the extension of the alphabet in terms of entropy. It should be OBVIOUS to any however slightly competent policy creator. If it is not, then the policy creator is AT LEAST incompetent. So that i consider your "strongly" to be merely an expression of emotions not an argument. > I'd appreciate it if you kept personal attacks out of > this discussion. I do not attack anyone personally -- I do not even know them. I have shown you already, that the Google's and MS's policies NEGATE EACH OTHER; and I take it as a clear sign of retardation. They have absolutely no idea what are they doing, yet they force me to do the same nonsense. > struggled with creating and implementing password policies. of course they struggle!!! because they don't know what parameter they are trying to optimize! they are trying to solve an unknown problem. That is a struggle, no doubt. >>(a) S.Entropy is based on a GUESS: "the universum of expected outcomes" >> which is outright irrelevant to our problem. > Believe it or not, that's not my issue with Shannon Entropy. I believe you. You should immediately reconsider your opinion about S.Entropy. S.Entropy BY THE VERY DEFINITION is completely unrelated to our problem. > That being said, I fully understand why NIST went with Shannon Entropy > since it at least was an attempt to base defensive policies on perceived > attacker strategies. but it is not!!! they do not perceive attacks, instead they assume that their own password creation hardships somehow represent the hardships of a hypothetical attacker. (Please take it seriously) entropy characterizes your password creation framework (I am absolutely serious) and nothing more!!! Then comes an attacker and reproduces your password using another framework, characterized with much less entropy than yours. Then comes the panic: "A powerful attack is discovered!!!" NO. it is not the attack is so scary powerful, it is your initial assumptions are so tremendously deranged. Password strength is a function of an attack. Entropy is not, therefore irrelevant. -Eugene
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.