On Thu, 28 Nov 2024 at 10:48, Radoslaw Skorupka < [email protected]> wrote:
> "So best practice now is to use passphrases." Agreed. No to mention > current recommendations for loooooong passwords. However even passphrase > can be "common". AFAIK the only solution would be ICHPWX11. The exit can > enforce some syntax, i.e. mandatory punctuation & capital letter & > lowercase & numeric. However even the above is not enough, since on of > "common" passwords is P@ssw0rd. > So, we need a list of common password to > reject them. Now the most important: WHO CREATES THE LIST? And how often > it is updated? https://haveibeenpwned.com/ Contains a downloadable list, an API to the online list, a simple web interface to test your password, and perhaps most important, a good explanation of why it's safe to test your password using their API. https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity Some mainframe products do offer to check proposed passwords against this list. In the case of my former employer (Betasystems), it's an option on their password sync and reset products. > BTW: I would think about MFA. Even long and complex > password can be peeked. > Some other thoughts from an indeed thoughtful guy on passwords and what the "security" world gets wrong: https://stuartschechter.org/posts/password-history/ (recent - relates to the above list and why it had to come from data breaches) https://stuartschechter.org/posts/before-you-turn-on-two-factor-authentication/ (old but still useful) https://stuartschechter.org/posts/before-you-use-a-password-manager/ (also old but still useful) Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
