[Owasp-leaders] Password complexity guidance

Cam Morris cam.morris at owasp.org
Fri Dec 13 16:32:18 UTC 2013


Thanks Matt! I was just about to reply to tout OWASP Passfault ;)  It's
still in a "labs" state.  But we're working on it.   I'd love to have help
integrating it into active directory, etc.


On Wed, Dec 11, 2013 at 12:23 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> We should probably link to the OWASP Passfault project as well - once
> consensus is reached.
>
> Site: http://www.passfault.com/
>
> Project Page: https://www.owasp.org/index.php/OWASP_Passfault
>
> "When setting a password, Passfault examines the password, looking for
> common patterns. Passfault than measures the strength of the patterns and
> combinations of patterns. The end result is a more academic and accurate
> measurement of password strength."
>
> I generally agree that passphrases are better that short stings of
> gibberish.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates <michael.coates at owasp.org
> > wrote:
>
>> We have two references (and probably more - please send if you see more)
>> for password complexity.
>>
>> https://www.owasp.org/index.php/Password_length_%26_complexity
>>
>> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
>>
>> First - I agree passwords alone need to die. It's not sufficient. But
>> that said, passwords will be around until the next solution is ready. So,
>> in the interim we should provide the best guidance on selecting good
>> passwords.
>>
>>
>> I no longer agree with the approach of forcing users to select gibberish
>> passwords. I believe that passphrases are much better. They achieve great
>> entropy and are far easier for users to remember. My initial position is we
>> should shift our guidance away from the old complex recommendation to a
>> passphrase recommendation.
>>
>> Agree? Disagree? Interested in your thoughts.
>>
>> Whatever we do select, we should make sure we cross link so we don't have
>> multiple sources of information that could be out of date.
>>
>>
>>
>>
>> --
>> Michael Coates
>> @_mwc
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131213/6195ef13/attachment.html>


More information about the OWASP-Leaders mailing list