Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 May 2016 11:27:09 -0500
From: Jeffrey Goldberg <>
Subject: Re: Password-Manager Friendly (PMF) semantic markup

On 2016-05-10, at 11:17 AM, Jim Fenton <> wrote:

> On 5/10/16 7:12 AM, Royce Williams wrote:
>> We might include not just password complexity rules, but other
>> qualities of authentication, including:
>> - Password aging policy
>> - Supported 2FA/MFA methods
>> - Supported types of federation (log in with Google, Facebook, etc.)
>> - Hashing method and parameters (salt, rounds, etc.) -- a signal of
>> (in)competence ;)
>> - SAML awareness? (not sure what's possible/useful here)
> Ugh, let's not give them a place to express a password aging policy when
> the only sensible answer is "no aging". I'd rather that we didn't
> encourage password complexity (composition) rules either.

If a site or service has such rules, then it would be good for password
managers to know about them.

> Hashing method and parameters: How is this information actionable by
> password managers?

I agree. While we should encourage sites to document such things, this
isn’t the place for it.



Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.