Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 17:33:28 +0200
From: "" <>
Subject: Re: Re: Password creation policies

>> instead of bottom-limiting the
>> length they attempt to extend the alphabet which is plainly futile.

> I *strongly* disagree with this statement.

I hope you see that increment in length DWARFS the extension of the 
alphabet in terms of entropy. It should be OBVIOUS to any however 
slightly competent policy creator.
If it is not, then the policy creator is AT LEAST incompetent.
So that i consider your "strongly" to be merely an expression of 
emotions not an argument.

> I'd appreciate it if you kept personal attacks out of
> this discussion.

I do not attack anyone personally -- I do not even know them.
I have shown you already, that the Google's and MS's policies
NEGATE EACH OTHER; and I take it as a clear sign of retardation.
They have absolutely no idea what are they doing, yet they force me to 
do the same nonsense.

> struggled with creating and implementing password policies.

of course they struggle!!!
because they don't know what parameter they are trying to optimize!
they are trying to solve an unknown problem.
That is a struggle, no doubt.

>>(a) S.Entropy is based on a GUESS: "the universum of expected outcomes"
>> which is outright irrelevant to our problem.

> Believe it or not, that's not my issue with Shannon Entropy.

I believe you.
You should immediately reconsider your opinion about S.Entropy.
S.Entropy BY THE VERY DEFINITION is completely unrelated to our problem.

> That being said, I fully understand why NIST went with Shannon Entropy
> since it at least was an attempt to base defensive policies on perceived
> attacker strategies.

but it is not!!!
they do not perceive attacks, instead they assume that their own 
password creation hardships somehow represent the hardships of a 
hypothetical attacker.
(Please take it seriously) entropy characterizes your password creation 
framework (I am absolutely serious) and nothing more!!!
Then comes an attacker and reproduces your password using another 
framework, characterized with much less entropy than yours.
Then comes the panic: "A powerful attack is discovered!!!"
it is not the attack is so scary powerful, it is your initial 
assumptions are so tremendously deranged.

Password strength is a function of an attack.
Entropy is not, therefore irrelevant.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.