| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALiR+uMFOrjf4Y7Hz1X7rdQMF3Ypdwx2ubqB_yafnpqmzdv3MA@mail.gmail.com> Date: Fri, 24 Apr 2015 18:34:04 +0200 From: Sascha Schmidt <sascha.schmidt@...-weimar.de> To: discussions@...sword-hashing.net Subject: Re: [PHC] Client-side hashing (was side-channel stuff) 2015-04-24 18:12 GMT+02:00 Krisztián Pintér <pinterkr@...il.com>: > expiration yes, but it is not reckless. it is merely an inconvenience. Yes. My bad. Reckless was overstated. > and we are not talking about months here. we are talking about years. I'm pretty sure that this is a common time span for at least some scenarios. > so the downside is passwords will expire after a year or two, and the > user must proceed with the forgotten password routine. i don't think > it is that bad. I just personally have a great aversion of forgotten password routines when it comes to usability and security. Maybe I just haven't seen a good one yet. Sincerely Sascha Schmidt
Powered by blists - more mailing lists