Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Apr 2016 17:03:08 -0400
From: Matt Weir <>
Subject: Re: Password creation policies

Ah, this is much better than Twitter. Thanks Solar for setting up this
mailing list!

>> We must abandon the entire notion of a "policy", if we want a serious
>> discussion about passwords.

>> The "password creation policy" concept is deeply MISLEADING. It confuses
>> all our objectives and analytical tools with marketing and coercion.

To avoid confusion, let me start by defining what I mean when talking about
password creation policies vs password creation strategies.

A password creation strategy is an individual's approach to password
security. It involves their own sense of how to pick a password, where to
use it, where to store it, etc.

A password creation policy is an organization's rules governing password
usage.The reason why we have password creation policies is an organization
might have different thoughts, goals, or risks than an individual. The same
thinking goes into why most companies have a dress code policy vs relying
on individuals' clothing strategies. If they don't, Bob from accounting is
going to show up in something totally inappropriate.

As a side note, password creation policies can further be broken down into
written polices and enforceable polices, and the Venn diagram of those two
doesn't always overlap. A good example of that is the policy to not share
passwords between sites. You can tell uses not to do that, but short of
assigning everyone passwords, enforcing that is problematic...

There's solid discussions to have about both topics, and both topics are
important. At the end of the day though, all talk about password creation
strategies really is advice to individuals. "You should use a password
manager", "You should use unique passwords", "You should create a strong
password and here are some tips on how to do that", etc. Password policies
on the other hand focus on what rules organizations should put in place and
how they should enforce them.

That's part of the reason why topics about password strength tend to move
to discussions about password policy. Most people don't care about
passwords. '123456' is the most popular password for a reason. The question
then shifts to what organizations should do to protect themselves and their
users from users picking bad passwords. That's a policy question.

To respond to your point, yes policies can be viewed as marketing and
coercion. Making people wear seat-belts in cars could be classified the
same way. Heck, making sure airplane pilots aren't drunk also falls under
that category. Rules can be good or bad. Part of the effort to make sure
they are the least burdensome as possible while achieving maximum benefit
requires open dialog about them though.

aka @lakiw

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.