--- Robert Leland <[EMAIL PROTECTED]> wrote: > David Graham wrote: > > >My point is not that you shouldn't tell your users the rules; it's that > >you shouldn't expose the validation algorithm to hackers. The less > they > >know about the password system, the better. > > > >David > > > That's Microsofts method security by obsecurity. We all know how well > that works ! > > I have been searching for articles saying that knowing > minimum/maximum password lengths poses a security risk. I have not found > > such an article/blurb, > either for or against. And it is impossible to not tell the user what > the min/max's are in a usable system. > The only place where min/max lengths helps out a little, very little, is > > in programs like jack the ripper, and this > occures once the password file has been copied off the machine to > another to be cracked. > > I also asked my co-worker who lives, and breathes cryptology and runs > a respected crypto news site, > and he said it isn't an issue. The only comment he made is that there > should not be maximum limits. > (he probably also would like a 15 digit zip code ;) )! > > I am trying to base decisions on facts, not FUD, and I see no references > > that would support a -1, > I invite you to google for over an hour like I did.
That's not how a veto works. We don't need a list of internet references to support a -1. I believe exposing any details about password validation implementation is a security flaw, no matter how small. Revealing min/max lengths is a relatively minor issue but violates that general principle. The implication that I support MS' security model or am trying to spread FUD isn't fair. I'm trying to do the right thing and ship Validator that complies with the Apache way of doing things. If my reasons don't support a -1, so be it. I don't have the time nor energy to continue debating this. David > > -Rob > > > > > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
