Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Przemek Klosowski
przemek.klosowski at nist.gov
Wed Oct 12 18:37:44 UTC 2011
On 10/12/2011 01:41 PM, Richard Hughes wrote:
> On 12 October 2011 17:44, Kevin Fenzi<kevin at scrye.com> wrote:
>> * Nine or more characters with lower and upper case letters, digits and
>> punctuation marks.
>> * Ten or more characters with lower and upper case letters and digits.
>> * Twelve or more characters with lower case letters and digits
>> * Twenty or more characters with all lower case letters.
>
> This is just insane. My existing password is 8 digits and
> alphanumeric, and given that I have to enter it over and over again
> (and prove "I'm human", another WTF) when creating updates I'm really
> wondering if I want to bother.
Length beats out larger character set, which is nicely illustrated by
the XKCD cartoon
http://imgs.xkcd.com/comics/password_strength.png
Considering that it's hard to type a wide character set (I probably
touch-type '&' correctly about 70% of the time), I actually like long
alpha passwords.
It is strange though that the complexity of the new requirements varies
so much:
(24+24+10+12)^9 or 4.0354e+16
(24+24+10)^10 or 4.3080e+17
(24+24)^12 or 1.4959e+20
(24)^20 or 4.0200e+27
except, of course, the alphabetic strings aren't likely to be purely
random but rather dictionary words, which would reduce the complexity
spread.
Richard's complexity is (24+24+10)^8, or 1.2806e+14 which is not that
much worse than the low end. We all know that he'll just add '1' to his
existing password :)
except, of course, the alphabetic strings aren't going to be purely
random but rather dictionary words, which would reduce the complexity
spread.
More information about the devel
mailing list