FESCO request to revert password confirmation change in F22

Björn Persson Bjorn at xn--rombobjrn-67a.se
Sun Mar 8 12:44:30 UTC 2015 

Mike Pinkerton wrote:
> I was responding to Björn Persson's suggestion that, in discussions  
> of password quality, correcthorsebatterystaple would be an example of  
> a safe password.

Safe_r_. Security in passphrases isn't a binary thing. XKCD 936
demonstrates that "correct horse battery staple" is much more secure
than "Tr0ub4dor&3". (It shows the math in nice graphical form, very
easy to follow.) Whether one or the other is secure enough depends on
what you use it for.

(Of course those two specific examples are worthless as passphrases now
that they're famous.)

> My point is that, if attackers are using strategies  
> other than brute forcing, which the Ars Technica article suggests is  
> the case, then constructing long passwords out of known words is  
> probably not a safe strategy.

Those strategies are designed to crack bad passphrases that adhere to
common patterns. They don't help with cracking *random* passphrases.

And again, the security lies in *how many* words you use.

> Because the word lists used by attackers are lists of strings that  
> they have scraped from various sources -- human language  
> dictionaries, password strings found in previous attacks, passwords  
> publicized by Adam on mailing lists, strings constructed on patterns  
> (e.g., "7kids", "8kids"), etc. -- a string that one would normally  
> think of as four words -- correcthorsebatterystaple -- once it has  
> been discovered as a password once and added to the attacker's word  
> list, becomes only one word for all future cracking attempts.

And that's why you shouldn't use a passphrase that is likely to be
chosen by anyone else. You should use a *random* combination of several
words, or a long *random* string of characters (stored in a password
manager).

Or else you should make it so long and so individual that no one else
is likely to come up with the same phrase – but that's much harder than
people think. I bet the person who came up with "all of the lights"
thought it was long and individual enough, but obviously it wasn't.
"When I was seven, my sister threw my stuffed rabbit in the toilet."
might have been.

> Except that the attackers aren't brute forcing long passwords.   
> Apparently, they can successfully crack a ridiculously high  
> percentage (90% in the Ars Technica experiment) in the space of a day  
> using other techniques.

Because a ridiculously high percentage of passwords are badly chosen.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150308/3cb6640c/attachment.sig>

More information about the devel mailing list