[Owasp-leaders] Password complexity guidance

Larry Conklin larry.conklin at owasp.org
Sat Dec 14 23:16:29 UTC 2013


Should any cheat-sheet/guidance on password authentication also include a
discussion on site-keys? Site-keys do provide a method of authentication
between end-user and a  web site with emphasis on preventing phishing.
However the effectiveness of this method is in debate. I think the last
thing I read is most users don’t notice the image is incorrect and also
this method is open to a MITM attack.


On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates
<michael.coates at owasp.org>wrote:

> We have two references (and probably more - please send if you see more)
> for password complexity.
>
> https://www.owasp.org/index.php/Password_length_%26_complexity
>
> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
>
> First - I agree passwords alone need to die. It's not sufficient. But that
> said, passwords will be around until the next solution is ready. So, in the
> interim we should provide the best guidance on selecting good passwords.
>
>
> I no longer agree with the approach of forcing users to select gibberish
> passwords. I believe that passphrases are much better. They achieve great
> entropy and are far easier for users to remember. My initial position is we
> should shift our guidance away from the old complex recommendation to a
> passphrase recommendation.
>
> Agree? Disagree? Interested in your thoughts.
>
> Whatever we do select, we should make sure we cross link so we don't have
> multiple sources of information that could be out of date.
>
>
>
>
> --
> Michael Coates
> @_mwc
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131214/58928aab/attachment.html>


More information about the OWASP-Leaders mailing list