Date: Wed, 24 Aug 2016 22:36:06 +0200 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: Re: GMOs And Passwords Den 24.08.2016 22.28, skrev e@...tmx.net: > On 08/24/2016 10:22 PM, Scott Arciszewski wrote: >> On Wed, Aug 24, 2016 at 4:18 PM, e@...tmx.net <mailto:e@...tmx.net> >> <e@...tmx.net <mailto:e@...tmx.net>>wrote: >> On one side, I can see how "don't >> reject any values" could lead to more work for attackers. >> >> On the other, if they're certainly going to guess 123456 and password, >> maybe we shouldn't allow users to use those strings in the first place? > > it is that almost all policies that reject 123456 also reject very > sophisticated very personal and enormously strong passwords. > > this rejection is uncontrollable you can not guarantee that your policy > does not reject: "on the second day of waning moon my granma baked > seventeen cup cakes with swastika frosting" I'm sorry, I didn't see your definition of "policy" here. Are you talking about a written policy, a technically implemented policy, or a password strength meter? A written policy, just like a technical policy implementation, can be written and configured so that it specifically rejects 123456, and nothing else. I wouldn't be surprised if the smarter guys in here could develop a password strength meter (or "filter", if you prefer) that would block 123456 and guarantee you nothing else would be blocked. Personally I prefer thinking of a policy as a description of a desired state, and NOT as law or rules that you MUST at all times be 100% compliant with. -- Best regards, Per Thorsheim
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.