Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 Oct 2017 16:41:57 -0600
From: Royce Williams <>
Subject: Re: Real world password policies

On Sun, Oct 29, 2017 at 3:32 PM, Solar Designer <> wrote:

> That's my tentative plan for passwdqc 2.0.  Not so much for processing
> and shipping a password cracker output, although that can be done, but
> rather to take advantage of the recent (and not so recent) availability
> of large password leaks, widespread acceptance of their use for the
> purpose, and to be consistent with the new NIST guidelines.
> The 320 million SHA-1 hashes of leaked passwords (without even
> re-cracking them first, although folks did that) from
> would comfortably fit in an
> 8 GiB Bloom filter with negligible false positive rate and nearly
> instant checks.

I'm pretty sure that the new NIST guidance was intended to encompass
blacklists on the order of Dropbox's zxcvbn or similar, not a blacklist of
such colossal size as the HIBP 320M.

>From a usability standpoint, and taken in isolation, such a blacklist is
completely untenable. It would result in a never-ending "gotcha" guessing
game of "nope, not that one" for the user.

And even if NIST did intend this, such guidance would be ... misguided.
Fully 80% of the HIBP 320M list can be eliminated entirely by simply
requiring passwords of a length greater than 12. Such a limit would also
eliminate millions of other equally poor future passwords - passwords that
would otherwise eventually find their way into such a monstrous,
ever-growing blacklist.

Now, if the plans for passwdqc 2.0 could include working that length
restriction into its parameters ... that might be an interesting
compromise, and dramatically decrease the size of the required blacklist,
and still remaining NIST-"compatible".


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.