Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Apr 2016 22:40:58 +0200
From: "" <>
Subject: Re: Password creation policies

>> The "password creation policy" concept is deeply MISLEADING. It confuses
>> all our objectives and analytical tools with marketing and coercion.
> Blazing guns! Better arguments please.

This is a real argument.
The decomposition helps solving problems.
Unrelated entities mixed into the topic -- do not.
I phrased this point few weeks ago thusly:

[the article] is written from a standpoint of a service provider and 
assumes "him" to influence users' password creation strategy -- this is 
an erroneous stance in and of itself. It conflates responsibilities! The 
password _guessing_ attacks constitutes a private "dispute" between the 
defender and the attacker while the mediator, the service provider, has 
its own huge pile of problems: how to deflect all the rest types of 
attacks -- and those must not be confused with the former.

> We discuss anything related to passwords, including biometrics, 2SV,
> 2FA, linguistics, statistics, psychology, math, crypto, voodoo, magical
> unicorns and MASSIVE gpu clusters. And more!

I do not call you to limit the scope of your discussion, I want to avoid 
confusion between "password choosing strategy" and "password creation 
policy" -- let's not substitute one discussion with another; they are 
not the same and the "policy problems" are apparently derivative to the 
"password problems".


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.