[Owasp-leaders] Password complexity guidance
cam.morris at owasp.org
Fri Dec 13 16:32:18 UTC 2013
Thanks Matt! I was just about to reply to tout OWASP Passfault ;) It's
still in a "labs" state. But we're working on it. I'd love to have help
integrating it into active directory, etc.
On Wed, Dec 11, 2013 at 12:23 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:
> We should probably link to the OWASP Passfault project as well - once
> consensus is reached.
> Site: http://www.passfault.com/
> Project Page: https://www.owasp.org/index.php/OWASP_Passfault
> "When setting a password, Passfault examines the password, looking for
> common patterns. Passfault than measures the strength of the patterns and
> combinations of patterns. The end result is a more academic and accurate
> measurement of password strength."
> I generally agree that passphrases are better that short stings of
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates <michael.coates at owasp.org
> > wrote:
>> We have two references (and probably more - please send if you see more)
>> for password complexity.
>> First - I agree passwords alone need to die. It's not sufficient. But
>> that said, passwords will be around until the next solution is ready. So,
>> in the interim we should provide the best guidance on selecting good
>> I no longer agree with the approach of forcing users to select gibberish
>> passwords. I believe that passphrases are much better. They achieve great
>> entropy and are far easier for users to remember. My initial position is we
>> should shift our guidance away from the old complex recommendation to a
>> passphrase recommendation.
>> Agree? Disagree? Interested in your thoughts.
>> Whatever we do select, we should make sure we cross link so we don't have
>> multiple sources of information that could be out of date.
>> Michael Coates
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders