Date: Wed, 20 Apr 2016 23:51:35 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: Mandatory password changes - DIEDIEDIE! On 04/20/2016 11:40 PM, Per Thorsheim wrote: > Den 20.04.2016 22.57, skrev e@...tmx.net: >>> The statement will simply be something like "stop changing passwords >>> frequently". >> >> +1 >> >>> We can no longer require users to have long & complex passwords, unique >>> to every service & site, and additionally ask them to change them every >>> 30-60-90 days. >> >> it is important to separate all these 4 points. > > Agree. > >> 1. WE CAN AND SHOULD REQUIRE users to have LONG passwords, > > Disagree. Risk analysis should be applied. Having a long password won't > help shit if all data is stored in plain on physically available disk. > (No matter what rule you make, there will always be exceptions.) here you bring even more distant issue into the scope. set it aside. password length is a property that is targeted ONLY to deflect guessing attacks, and should not be confused with physical attacks. so let us set (1) (2) (3) aside altogether; and good luck with the (4). > https://scholar.google.no/citations?view_op=view_citation&continue=/scholar%3Fq%3Dthorsheim%26hl%3Dno%26as_sdt%3D0,5%26scilib%3D1&citilm=1&citation_for_view=tP9nguAAAAAJ:d1gkVwhDpl0C&hl=no&oi=p > > In which we argue for classifying sites & services into risk levels, and > allowing pwd reuse within same level, but mixing of passwords across > different levels. Rude, but at least something to ease the burden on > normal users. i feel bad :( i wanted to write about classifying your personal passwords for improving manageability and reduce interference... you know what i mean.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.