Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 4 Sep 2016 03:09:08 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Authentication process

> 'Complexity' is the rules that are required for passwords such as
> minimum length, lower & upper cases, digits and special characters.

so "complexity" == "password policy"
noted.


> More and more passwords have to pass a 'strength' test before being
> accepted (ex.: blacklist)

what do you mean "strength"?


> With 'trusted' I refer to the fact that no matter how you will restrict
> the password that are allowed, people will always find some sort of
> pattern to help memorizing it.

are you fighting against memorability?


> it seems that we think so much alike that we will all
> choose the exact same next pattern available

sounds plausible, Matt Weir made this point very clear with tangible data.


> Thus my comment, "user-defined passwords could never be trusted" and
> only truly random passwords should be used,

non-sequitur.


> But there are not
> user-friendly, especially ones with enough entropy

_ONES_ have entropy of exactly ZERO.
by the definition of entropy.
(look it up, by the way)
ANY password has zero entropy.

also worth noticing that you have destroyed any appeal to entropy (just 
few lines above, without my help) by showing how a password creation 
procedure is UNRELATED to a password guessing procedure.


> brute force attacks of powerful machines.

why do you concentrate on brute force guessing?
do you discard all intelligently designed dictionaries?
why?


P.S.
i understand by "trust" you mean "accept" am i right?

PS/2
somebody impolitely and arrogantly claimed that EVERYBODY on the list is 
well informed about irrelevance of the entropy to the password guessing 
problem.
care to take your words and insults back?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.