Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 Sep 2016 03:09:08 +0200
From: "" <>
Subject: Re: Authentication process

> 'Complexity' is the rules that are required for passwords such as
> minimum length, lower & upper cases, digits and special characters.

so "complexity" == "password policy"

> More and more passwords have to pass a 'strength' test before being
> accepted (ex.: blacklist)

what do you mean "strength"?

> With 'trusted' I refer to the fact that no matter how you will restrict
> the password that are allowed, people will always find some sort of
> pattern to help memorizing it.

are you fighting against memorability?

> it seems that we think so much alike that we will all
> choose the exact same next pattern available

sounds plausible, Matt Weir made this point very clear with tangible data.

> Thus my comment, "user-defined passwords could never be trusted" and
> only truly random passwords should be used,


> But there are not
> user-friendly, especially ones with enough entropy

_ONES_ have entropy of exactly ZERO.
by the definition of entropy.
(look it up, by the way)
ANY password has zero entropy.

also worth noticing that you have destroyed any appeal to entropy (just 
few lines above, without my help) by showing how a password creation 
procedure is UNRELATED to a password guessing procedure.

> brute force attacks of powerful machines.

why do you concentrate on brute force guessing?
do you discard all intelligently designed dictionaries?

i understand by "trust" you mean "accept" am i right?

somebody impolitely and arrogantly claimed that EVERYBODY on the list is 
well informed about irrelevance of the entropy to the password guessing 
care to take your words and insults back?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.