[Cryptography] Password rules and salt

Peter Capek peter.capek at gmail.com
Fri May 19 13:31:44 EDT 2017


Recent comments by Jerry Leichter and Ray Dillinger about the length of the
salt used to
hash passwords brings to mind a suggestion made years ago by a colleague,
perhaps in jest.
We were talking about the insanity and inanity of password rules and the
difficulty of generating
good passwords in the presence of arbitrary and site-specific rules for
what is a valid password.

He suggested that instead, any string is valid as a password, as long as it
has never been used before
as a password by anyone.   Aside from the cost of implementing and using a
database to enforce this
rule, it seems to me to be sort of pleasing notion.  It would be best to
keep the DB secret, of course,
just to prevent it, and especially recent entries to it, from becoming
fodder for dictionary attacks.

           Peter Capek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170519/c77bbb39/attachment.html>


More information about the cryptography mailing list