FESCO request to revert password confirmation change in F22

Sun Mar 8 16:24:51 UTC 2015

On Sun, Mar 8, 2015 at 8:44 AM, Björn Persson <Bjorn at rombobjörn.se> wrote:
> Mike Pinkerton wrote:
>> I was responding to Björn Persson's suggestion that, in discussions
>> of password quality, correcthorsebatterystaple would be an example of
>> a safe password.
>
> Safe_r_. Security in passphrases isn't a binary thing. XKCD 936
> demonstrates that "correct horse battery staple" is much more secure
> than "Tr0ub4dor&3". (It shows the math in nice graphical form, very
> easy to follow.) Whether one or the other is secure enough depends on
> what you use it for.
>
> (Of course those two specific examples are worthless as passphrases now
> that they're famous.)

Right. I'm the guy that brought up the XKCD comic. The  actual message
of the comic is entertaining, and enlightening. Our modern password
creation policies are forcing us to follow arbitrary mathematical
rules that make our passwords *impossible to remember*.

And it gets worse. If you have RSI, or a bad keyboard or visual
issues, or use a speech-text system, and you're having to type an 8
character mixed case, non-alphabetical passphrase that *you cannot
visually review or confirm*, password generation becomes nightmarish.

>> My point is that, if attackers are using strategies
>> other than brute forcing, which the Ars Technica article suggests is
>> the case, then constructing long passwords out of known words is
>> probably not a safe strategy.
>
> Those strategies are designed to crack bad passphrases that adhere to
> common patterns. They don't help with cracking *random* passphrases.
>
> And again, the security lies in *how many* words you use.

There's also a counterproductive effect. Passwords that are enforced,
by policy, to be nonsensical gibberish tend to be written down,
because no one can remember them. And because no one can remember
them, they're written down in easily accessed locations. The classic
storage is the Post-it note on the secretary's desk, but I see a lot
of people who should know better writing them into source control
systems that everyone in the company can read.

>> Except that the attackers aren't brute forcing long passwords.
>> Apparently, they can successfully crack a ridiculously high
>> percentage (90% in the Ars Technica experiment) in the space of a day
>> using other techniques.
>
> Because a ridiculously high percentage of passwords are badly chosen.
>
> Björn Persson

And a ridiculous number of them are being set, permanently, for admins
and trusted users who couldn't spell "password rotation" if you
tattooed one word on each hand.