←back to thread

Some of the most brilliant computer scientists got password policies so wrong

(stuartschechter.org)
4 points Tomte | 2 comments | 21 Nov 24 06:46 UTC | HN request time: 0.437s | source
1. Terr_ ◴[21 Nov 24 07:50 UTC] No.42202055[source]
> As a result of Morris and Thompson’s recommendations [of one-way hashing] and those who believed their assumptions without evidence, it was not until well into the 21st century that the scientific community learned just how ineffective password policies were.

Not sure about where the "scientific" community boundaries are, but I'm pretty sure that even in the pre-21st decades it was no secret among system administrators. They knew their users erred towards the most terrible passwords the system would permit.

replies(1): >>42202510 #
2. eesmith ◴[21 Nov 24 09:23 UTC] No.42202510[source]
Yes, they knew it was a problem because tools like John the Ripper, a password cracking software tool, were developed in the 1990s and showed that a lot of people used easily cracked passwords. (I mention that one because it's one I used back then, as a part-time sys admin.)

The part which makes the text correct (or at least "technically correct") is "just how ineffective". Password crackers couldn't analyze the uncracked passwords to tell you how effective they actually were, leaving doubt.