Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 May 2016 06:12:22 -0800
From: Royce Williams <>
Subject: Re: Password-Manager Friendly (PMF) semantic markup

On Mon, May 9, 2016 at 11:59 PM, Per Thorsheim <> wrote:
> First presented by Max Spencer at #passwords14 in Trondheim, I am still
> a fan of this idea.
> Basically implementing some stuff into HTML that tells any password
> manager what minimum/maximum/restrictions etc a site has for passwords,
> allowing a password manager to automatically generate the best possible
> password without any additional user interaction or error handling.
> "All we need" is:
> - A standard
> - Get major browsers to support the standard
> - Get major password managers to support it
> - Make OWASP adopt it
> - Have all websites in the world (preferably) adopt it for the greater good
> Easy. No where do we begin?

Great idea!

A brief survey of prior public discussion yields little, other than
people saying "yeah, this would be good" posts like this:

I suggest extending the scope to include non-HTML apps as well,
perhaps by providing an XML format, such as:

We might include not just password complexity rules, but other
qualities of authentication, including:

- Password aging policy
- Supported 2FA/MFA methods
- Supported types of federation (log in with Google, Facebook, etc.)
- Hashing method and parameters (salt, rounds, etc.) -- a signal of
(in)competence ;)
- SAML awareness? (not sure what's possible/useful here)

I'd bet that Tantek Celik would be interested in helping making it

Getting big sites could build momentum. Wordpress,
Google/Blogger/Blogspot, Yahoo, Hotmail etc. come to mind. Wordpress
uses phpass, so they might be the most open-minded.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.