[Owasp-leaders] Password complexity guidance

Cam Morris cam.morris at owasp.org
Fri Dec 13 16:59:51 UTC 2013


"My initial position is we should shift our guidance away from the old
complex recommendation to a passphrase recommendation."
- totally agree.  This paper http://dl.acm.org/citation.cfm?id=1979321 studies
the effects of different password policies to measure the difference in
resulting password complexity. The only constraint they found that
increased complexity was the length.  The rest of password policies had
little effect. "Overall, they found that increasing minimum length was more
effective than applying content constraints"

As far as two-factor auth goes,  I love my two-factor auth with google and
facebook but one of those factors is still a password. We'll still need to
provide guidance on how to create them.  Would anyone be shocked if in
twenty years we still have passwords?

Also, +1 on having password managers suggested in the guidance.


On Fri, Dec 13, 2013 at 9:32 AM, Cam Morris <cam.morris at owasp.org> wrote:

> Thanks Matt! I was just about to reply to tout OWASP Passfault ;)  It's
> still in a "labs" state.  But we're working on it.   I'd love to have help
> integrating it into active directory, etc.
>
>
> On Wed, Dec 11, 2013 at 12:23 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:
>
>> We should probably link to the OWASP Passfault project as well - once
>> consensus is reached.
>>
>> Site: http://www.passfault.com/
>>
>> Project Page: https://www.owasp.org/index.php/OWASP_Passfault
>>
>> "When setting a password, Passfault examines the password, looking for
>> common patterns. Passfault than measures the strength of the patterns and
>> combinations of patterns. The end result is a more academic and accurate
>> measurement of password strength."
>>
>> I generally agree that passphrases are better that short stings of
>> gibberish.
>>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>
>>
>> On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates <
>> michael.coates at owasp.org> wrote:
>>
>>> We have two references (and probably more - please send if you see more)
>>> for password complexity.
>>>
>>> https://www.owasp.org/index.php/Password_length_%26_complexity
>>>
>>> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
>>>
>>> First - I agree passwords alone need to die. It's not sufficient. But
>>> that said, passwords will be around until the next solution is ready. So,
>>> in the interim we should provide the best guidance on selecting good
>>> passwords.
>>>
>>>
>>> I no longer agree with the approach of forcing users to select gibberish
>>> passwords. I believe that passphrases are much better. They achieve great
>>> entropy and are far easier for users to remember. My initial position is we
>>> should shift our guidance away from the old complex recommendation to a
>>> passphrase recommendation.
>>>
>>> Agree? Disagree? Interested in your thoughts.
>>>
>>> Whatever we do select, we should make sure we cross link so we don't
>>> have multiple sources of information that could be out of date.
>>>
>>>
>>>
>>>
>>> --
>>> Michael Coates
>>> @_mwc
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131213/94df4fac/attachment.html>


More information about the OWASP-Leaders mailing list