W dniu 01.12.2024 o 09:29, Tony Harminc pisze:
On Thu, 28 Nov 2024 at 10:48, Radoslaw Skorupka <
[email protected]> wrote:
"So best practice now is to use passphrases." Agreed. No to mention
current recommendations for loooooong passwords. However even passphrase
can be "common". AFAIK the only solution would be ICHPWX11. The exit can
enforce some syntax, i.e. mandatory punctuation & capital letter &
lowercase & numeric. However even the above is not enough, since on of
"common" passwords is P@ssw0rd.
So, we need a list of common password to
reject them. Now the most important: WHO CREATES THE LIST? And how often
it is updated?
https://haveibeenpwned.com/
Contains a downloadable list, an API to the online list, a simple web
interface to test your password, and perhaps most important, a good
explanation of why it's safe to test your password using their API.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
Some mainframe products do offer to check proposed passwords against this
list. In the case of my former employer (Betasystems), it's an option on
their password sync and reset products.
BTW: I would think about MFA. Even long and complex
password can be peeked.
Some other thoughts from an indeed thoughtful guy on passwords and what the
"security" world gets wrong:
https://stuartschechter.org/posts/password-history/ (recent - relates to
the above list and why it had to come from data breaches)
https://stuartschechter.org/posts/before-you-turn-on-two-factor-authentication/
(old but still useful)
https://stuartschechter.org/posts/before-you-use-a-password-manager/ (also
old but still useful)
No.
None of the lists above is *official* list to use.
Can I use unofficial? Great! Colleague of mine will publish a list of
passwords. Yes, it will be published. As the above.
Less popular? Who measure it? Is it a criterium?
No. So I can use *any* list I want.
And even then the update process is not even touched.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
