Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Apr 2016 23:51:35 +0200
From: "" <>
Subject: Re: Mandatory password changes - DIEDIEDIE!

On 04/20/2016 11:40 PM, Per Thorsheim wrote:
> Den 20.04.2016 22.57, skrev
>>> The statement will simply be something like "stop changing passwords
>>> frequently".
>> +1
>>> We can no longer require users to have long & complex passwords, unique
>>> to every service & site, and additionally ask them to change them every
>>> 30-60-90 days.
>> it is important to separate all these 4 points.
> Agree.
>> 1. WE CAN AND SHOULD REQUIRE users to have LONG passwords,
> Disagree. Risk analysis should be applied. Having a long password won't
> help shit if all data is stored in plain on physically available disk.
> (No matter what rule you make, there will always be exceptions.)

here you bring even more distant issue into the scope.
set it aside.
password length is a property that is targeted ONLY to deflect guessing 
attacks, and should not be confused with physical attacks.

so let us set (1) (2) (3) aside altogether;
and good luck with the (4).

> In which we argue for classifying sites & services into risk levels, and
> allowing pwd reuse within same level, but mixing of passwords across
> different levels. Rude, but at least something to ease the burden on
> normal users.

i feel bad :( i wanted to write about classifying your personal 
passwords for improving manageability and reduce interference... you 
know what i mean.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.