Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5707516B.9020308@thorsheim.net>
Date: Fri, 8 Apr 2016 08:36:27 +0200
From: Per Thorsheim <per@...rsheim.net>
To: passwords@...ts.openwall.com
Subject: Re: Password creation policies

Den 07.04.2016 23.01, skrev Patrick Proniewski:
> Hi all,
> 
> On 07 avr. 2016, at 22:50, Per Thorsheim wrote:
> 
>> Ah. By "password creation policy", I think of some sort of rules
>> for ordinary humans to create passwords that are "strong enough"
>> (accepted by the system where they are to be used), AND memorable,
>> as we still prefer and have to comply with EULA, standards & even
>> law saying we are not allowed to write down our passwords.
>> Something I'm trying to change btw.
> 
> 
> Do you have some pointers to countries with law banning the
> write-down of passwords?

Received from an employee at a Polish university in spring of 2014:
--
Just for your information (to add to the curiosities list), I have found
the formal reason for the requirement to change passwords every 30 days
- it is the regulation issued by the Ministry of Internal Affairs and
Administration in Poland, and it applies to all IT systems processing
personal data. Full text in Polish is here:
http://www.giodo.gov.pl/plik/id_p/521/j/pl/

The interesting phrase is in the attachment, point 4.IV.2:
"W przypadku gdy do uwierzytelniania użytkowników używa się hasła, jego
zmiana następuje nie rzadziej niż co 30 dni. Hasło składa się co
najmniej z 6 znaków."

Rough translation: "In case when users are authenticated by password,
the password must be changed no less than once every 30 days. The
password must be at least 6 characters long."

--

> I'm CISO in a french university, and I officially tell my users they
> can write down their new password as long as it stays hidden in their
> wallet, and as long as they destroy the paper when they are confident
> they memorized it. We also provide our staff with a self hosted
> password storage web application.

Sounds fair to me. I don't know you, your students or your university,
so I cannot do your risk analysis. In our paranoid world it still is
important to remember that most people don't want to become criminals
even if the opportunity exists.

> patpro

Per @thorsheim

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.