[Owasp-leaders] Password complexity guidance
yvanboily at gmail.com
Wed Dec 11 20:19:35 UTC 2013
On Wed, Dec 11, 2013 at 10:43 AM, Michael Coates
<michael.coates at owasp.org>wrote:
> I no longer agree with the approach of forcing users to select gibberish
> passwords. I believe that passphrases are much better. They achieve great
> entropy and are far easier for users to remember. My initial position is we
> should shift our guidance away from the old complex recommendation to a
> passphrase recommendation.
> Agree? Disagree? Interested in your thoughts.
In the recommendations there should be a basic explanation of the reasoning
behind it, including the math (passphrases chosen from a language
dictionary are not necessarily better mathematically, especially if you
have a known dictionary from which the passwords were generated) and the
usability factors (memory, ease of use across multiple devices, etc).
We should also recommend a maximum length of password as naively
implementing long password schemes can result in DoS conditions.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders