[Owasp-leaders] Password complexity guidance
Michael Coates
michael.coates at owasp.org
Wed Dec 11 18:43:22 UTC 2013
We have two references (and probably more - please send if you see more)
for password complexity.
https://www.owasp.org/index.php/Password_length_%26_complexity
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
First - I agree passwords alone need to die. It's not sufficient. But that
said, passwords will be around until the next solution is ready. So, in the
interim we should provide the best guidance on selecting good passwords.
I no longer agree with the approach of forcing users to select gibberish
passwords. I believe that passphrases are much better. They achieve great
entropy and are far easier for users to remember. My initial position is we
should shift our guidance away from the old complex recommendation to a
passphrase recommendation.
Agree? Disagree? Interested in your thoughts.
Whatever we do select, we should make sure we cross link so we don't have
multiple sources of information that could be out of date.
--
Michael Coates
@_mwc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131211/e0e5e667/attachment.html>
More information about the OWASP-Leaders
mailing list