Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Apr 2016 23:37:39 +0200
From: "" <>
Subject: Re: Re: Password creation policies

> To avoid confusion, let me start by defining what I mean when talking
> about password creation policies vs password creation strategies.
> A password creation strategy is an individual's approach to password
> security. It involves their own sense of how to pick a password, where
> to use it, where to store it, etc.
> A password creation policy is an organization's rules governing password
> usage.

These are exactly my definitions, I have implied and failed to articulate.

> To respond to your point, yes policies can be viewed as marketing and
> coercion. Making people wear seat-belts in cars could be classified the
> same way.

Exactly! (by the way, seat-belts should not be enforced as long as the 
driver is alone in the car, same with the "P. policies")

My point is:
The p.policies discussion can not precede p.strategy discussion.
When we are done with defining "password strength",
then we can talk about p.strategy, and only when we figure out a good 
strategy, then we can try to build a p.policy on top of it.

> Rules can be good or bad. Part of the effort to
> make sure they are the least burdensome as possible while achieving
> maximum benefit requires open dialog about them though.

taking in account "state of the art"
the best move here and now is to trash all present p.policies.
"Shannon Entropy based policies provide no actionable information for 
the defender, while being overly burdensome..." [i forgot the rest]

I only want to add WHY exactly this is the case,
(a) S.Entropy is based on a GUESS: "the universum of expected outcomes"
which is outright irrelevant to our problem.
(b) policy creators are retarded and instead of bottom-limiting the 
length they attempt to extend the alphabet which is plainly futile.
(all in all they took a wrong measure and failed to implement it)


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.