Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5706D323.9050109@bestmx.net>
Date: Thu, 7 Apr 2016 23:37:39 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Re: Password creation policies

> To avoid confusion, let me start by defining what I mean when talking
> about password creation policies vs password creation strategies.
>
> A password creation strategy is an individual's approach to password
> security. It involves their own sense of how to pick a password, where
> to use it, where to store it, etc.
>
> A password creation policy is an organization's rules governing password
> usage.

These are exactly my definitions, I have implied and failed to articulate.


> To respond to your point, yes policies can be viewed as marketing and
> coercion. Making people wear seat-belts in cars could be classified the
> same way.

Exactly! (by the way, seat-belts should not be enforced as long as the 
driver is alone in the car, same with the "P. policies")

My point is:
The p.policies discussion can not precede p.strategy discussion.
When we are done with defining "password strength",
then we can talk about p.strategy, and only when we figure out a good 
strategy, then we can try to build a p.policy on top of it.


> Rules can be good or bad. Part of the effort to
> make sure they are the least burdensome as possible while achieving
> maximum benefit requires open dialog about them though.

taking in account "state of the art"
the best move here and now is to trash all present p.policies.
quote:
"Shannon Entropy based policies provide no actionable information for 
the defender, while being overly burdensome..." [i forgot the rest]

I only want to add WHY exactly this is the case,
because
(a) S.Entropy is based on a GUESS: "the universum of expected outcomes"
which is outright irrelevant to our problem.
(b) policy creators are retarded and instead of bottom-limiting the 
length they attempt to extend the alphabet which is plainly futile.
(all in all they took a wrong measure and failed to implement it)

-Eugene

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.