[Owasp-leaders] Password complexity guidance

Abbas Naderi abbas.naderi at owasp.org
Sun Dec 15 00:15:00 UTC 2013


I also think site-keys are pretty useless. The times when we’re out of focus, we don’t notice that thing as well.
-A
On Dec 14, 2013, at 6:16 PM, Larry Conklin <larry.conklin at owasp.org> wrote:

> Should any cheat-sheet/guidance on password authentication also include a discussion on site-keys? Site-keys do provide a method of authentication between end-user and a  web site with emphasis on preventing phishing. However the effectiveness of this method is in debate. I think the last thing I read is most users don’t notice the image is incorrect and also this method is open to a MITM attack.
> 
> 
> On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates <michael.coates at owasp.org> wrote:
> We have two references (and probably more - please send if you see more) for password complexity.
> 
> https://www.owasp.org/index.php/Password_length_%26_complexity
> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
> 
> First - I agree passwords alone need to die. It's not sufficient. But that said, passwords will be around until the next solution is ready. So, in the interim we should provide the best guidance on selecting good passwords.
> 
> 
> I no longer agree with the approach of forcing users to select gibberish passwords. I believe that passphrases are much better. They achieve great entropy and are far easier for users to remember. My initial position is we should shift our guidance away from the old complex recommendation to a passphrase recommendation.
> 
> Agree? Disagree? Interested in your thoughts.
> 
> Whatever we do select, we should make sure we cross link so we don't have multiple sources of information that could be out of date.
> 
> 
> 
> 
> --
> Michael Coates
> @_mwc
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131214/818f2aa1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131214/818f2aa1/attachment.bin>


More information about the OWASP-Leaders mailing list