Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 Dec 2016 13:24:52 -0600
From: Jeffrey Goldberg <>
Subject: Re: proposed NIST guidelines on passwords

On Dec 16, 2016, at 11:52 AM, Jim Fenton <> wrote:

> Please make this comment when the public comment period opens early next year.

First, thank you Jim for your work on this. I love it.

I will have some comments about just some minor wording changes (which I will figure out more explicitly) as I’ve encountered some repeated misunderstandings of the current draft.

A number of people are interpreting the requirement[1] that systems accept 128 byte passwords as a requirement that automated password generators create passwords of that length. That is, they are seeing requirements placed on things that accept passwords as translating directly to guidelines for systems that generate passwords. Of course these do have (very nice) implications for systems that generate passwords, but it would be nice to separate them.

I suspect that some might argue that the misunderstandings we (AgileBits, makers of 1Password) face from our users are not NIST’s problem. We should be the ones to explain that if a service “must" accept 128 byte passwords, then we “may” generate, say, 50 character ones to use for compliment systems. I would argue otherwise, and say that this isn’t just our problem.There is a history of people reading too much into password requirements. So we can anticipate that stating a minimum maximum of 128 bytes will lead people to believe that NIST is specifically recommending 128 byte passwords.

I don’t know if it would be too late (or inappropriate) to offer guidelines for automated password generators in this document. If such a section is included, it could state a demand for the generator to produce a uniform distributions (and thus help get us beyond the unfortunate legacy of FIPS-181.) 



[1] Please forgive my loose use of the word “requirement”, “may” and “must" here. You know what I mean. When I make my specific comments, I will word things more precisely.
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.