Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Peter Robinson
pbrobinson at gmail.com
Wed Oct 12 18:10:44 UTC 2011
On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson <awilliam at redhat.com> wrote:
> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>> On 12 October 2011 17:44, Kevin Fenzi <kevin at scrye.com> wrote:
>> > All existing users of the Fedora Account System (FAS) at
>> > https://admin.fedoraproject.org/accounts are required to change their
>> > password and upload a NEW ssh public key before 2011-11-30.
>>
>> I have to upload a *new* public key? Why should I have two sets of keys?
>
> Meant 'replacement'. You can only have one key in FAS, afaict.
>
>> > * Nine or more characters with lower and upper case letters, digits and
>> > punctuation marks.
>> > * Ten or more characters with lower and upper case letters and digits.
>> > * Twelve or more characters with lower case letters and digits
>> > * Twenty or more characters with all lower case letters.
>>
>> This is just insane. My existing password is 8 digits and
>> alphanumeric, and given that I have to enter it over and over again
>> (and prove "I'm human", another WTF) when creating updates I'm really
>> wondering if I want to bother.
>>
>> Talk about putting up barriers.
>
> I can think of no reason why everyone shouldn't use a password manager.
> It's just hands down a better way to do things in every respect. Eight
> characters alphanumeric is not actually a very strong password; the
> numbers on how long it'd take to brute force with e.g. EC2 are quite
> tiny. And an account like yours certainly counts as high-value.
In fact there are rainbow tables out there easily available of all 8
alpha numeric combinations where you wouldn't even need EC2 to crack a
lot of them. I know of a couple DBs where they have Terabytes of pre
calculated password hashes and its just a simple string match.
Peter
More information about the devel
mailing list