Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Apr 2016 23:40:54 +0200
From: Per Thorsheim <>
Subject: Re: Mandatory password changes - DIEDIEDIE!

Den 20.04.2016 22.57, skrev
>> The statement will simply be something like "stop changing passwords
>> frequently".
> +1
>> We can no longer require users to have long & complex passwords, unique
>> to every service & site, and additionally ask them to change them every
>> 30-60-90 days.
> it is important to separate all these 4 points.


> 1. WE CAN AND SHOULD REQUIRE users to have LONG passwords,

Disagree. Risk analysis should be applied. Having a long password won't
help shit if all data is stored in plain on physically available disk.
(No matter what rule you make, there will always be exceptions.)

> 2. we can not say anything about "complex" because we do not know what
> is complex and if it is relevant to our problem.

I will try to only focus on the stupidity of frequent & mandatory
password change in connection with the Las Vegas event. All other
applicable stuff goes into the FAQ.

> 3. uniqueness is a delicate issue, it is sufficient for a very small
> portion of your passwords to be unique. moreover it is good to have a
> single shitty passwords for forums and similar cesspools,5%26scilib%3D1&citilm=1&citation_for_view=tP9nguAAAAAJ:d1gkVwhDpl0C&hl=no&oi=p

In which we argue for classifying sites & services into risk levels, and
allowing pwd reuse within same level, but mixing of passwords across
different levels. Rude, but at least something to ease the burden on
normal users.

> 4. compulsory expiration is a separate issue,
> which is bad, but can be mitigated by writing passwords on paper.

I prefer good passwords on paper over bad passwords online.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.