On Wednesday 25 February 2015 18:55:29 Chris Murphy wrote:
On Wed, Feb 25, 2015 at 10:42 AM, Stephen John Smoogen
<smooge(a)gmail.com>
wrote:
> However unless we can agree to some sort of measurement system
then every
> thing we 'impose' is going to be no better than throwing salt over our
> shoulder and turning 3 times windershin.
Feynman's Freshman Class problem... I don't think this is well enough
understood to put this in front of users. And by this, I mean,
concepts like entropy or even a score.
That's why I proposed to also show a minimum entropy/score needed.
If I provide something that gets score of 10 while the requirement is for 20,
then I know that I need something much more complex.
on the other hand, if I get 19 and the requirement is for 20, I know I need
just simple modification to push it over the threshold.
Users already are rather familiar with password quality meters.
But the minimum entropy *depends directly* on rate limiting and password
ageing settings.
It also doesn't actively give advice in advance, it only
disqualifies
(or admonishes) after the fact, so it's negative (re)enforcement,
rather than being positive. And I can't agree this is the right
direction to go in.
What I had in mind, was that the password evaluation (and example passwords)
is done after the user stops writing (0.5s of inactivity?) or moves to the re-
entry field. So it's during the act, not after.
It's also rather hard to tell the user he can't have the password he or she
likes before knowing it...
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic