[Owasp-leaders] Password complexity guidance

Yvan Boily yvanboily at gmail.com
Wed Dec 11 20:19:35 UTC 2013


On Wed, Dec 11, 2013 at 10:43 AM, Michael Coates
<michael.coates at owasp.org>wrote:

> I no longer agree with the approach of forcing users to select gibberish
> passwords. I believe that passphrases are much better. They achieve great
> entropy and are far easier for users to remember. My initial position is we
> should shift our guidance away from the old complex recommendation to a
> passphrase recommendation.
>
> Agree? Disagree? Interested in your thoughts.
>


Agree.

In the recommendations there should be a basic explanation of the reasoning
behind it, including the math  (passphrases chosen from a language
dictionary are not necessarily better mathematically, especially if you
have a known dictionary from which the passwords were generated) and the
usability factors (memory, ease of use across multiple devices, etc).

We should also recommend a maximum length of password as naively
implementing long password schemes can result in DoS conditions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131211/f6f25dbf/attachment.html>


More information about the OWASP-Leaders mailing list