If you leave it up a user, they'll choose nothing, or the last four of the social. There should be criteria, but not public criteria. ------Original Message------ From: Nicholas Cole Sender: gnupg-users-boun...@gnupg.org To: gnupg-users@gnupg.org Subject: Re: A better way to think about passwords Sent: Apr 21, 2011 4:09 AM
Isn't the real problem that *any* policy (suggested or enforced) reduces the complexity of guessing a password? The moment you start saying "pick three words separated by a space or dash" or "pick eight random letters" or the like you make it easier to attack a password. My employer insists on passwords that meet a defined and public set of criteria. I'm sure that in theory that actually makes them easier to crack, since many millions of possibilities can be discounted. In short: don't force a particular strategy on your users. Much better to explain to users the general problem, and then leave it up to them to pick a password. Nicholas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -Devin _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
