Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 08:36:27 +0200
From: Per Thorsheim <>
Subject: Re: Password creation policies

Den 07.04.2016 23.01, skrev Patrick Proniewski:
> Hi all,
> On 07 avr. 2016, at 22:50, Per Thorsheim wrote:
>> Ah. By "password creation policy", I think of some sort of rules
>> for ordinary humans to create passwords that are "strong enough"
>> (accepted by the system where they are to be used), AND memorable,
>> as we still prefer and have to comply with EULA, standards & even
>> law saying we are not allowed to write down our passwords.
>> Something I'm trying to change btw.
> Do you have some pointers to countries with law banning the
> write-down of passwords?

Received from an employee at a Polish university in spring of 2014:
Just for your information (to add to the curiosities list), I have found
the formal reason for the requirement to change passwords every 30 days
- it is the regulation issued by the Ministry of Internal Affairs and
Administration in Poland, and it applies to all IT systems processing
personal data. Full text in Polish is here:

The interesting phrase is in the attachment, point 4.IV.2:
"W przypadku gdy do uwierzytelniania użytkowników używa się hasła, jego
zmiana następuje nie rzadziej niż co 30 dni. Hasło składa się co
najmniej z 6 znaków."

Rough translation: "In case when users are authenticated by password,
the password must be changed no less than once every 30 days. The
password must be at least 6 characters long."


> I'm CISO in a french university, and I officially tell my users they
> can write down their new password as long as it stays hidden in their
> wallet, and as long as they destroy the paper when they are confident
> they memorized it. We also provide our staff with a self hosted
> password storage web application.

Sounds fair to me. I don't know you, your students or your university,
so I cannot do your risk analysis. In our paranoid world it still is
important to remember that most people don't want to become criminals
even if the opportunity exists.

> patpro

Per @thorsheim

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.