On 10/12/2011 02:10 PM, Peter Robinson wrote:
On Wed, Oct 12, 2011 at 6:51 PM, Adam
Williamson<awilliam(a)redhat.com> wrote:
> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>> On 12 October 2011 17:44, Kevin Fenzi<kevin(a)scrye.com> wrote:
>>> All existing users of the Fedora Account System (FAS) at
>>>
https://admin.fedoraproject.org/accounts are required to change their
>>> password and upload a NEW ssh public key before 2011-11-30.
>>
>> I have to upload a *new* public key? Why should I have two sets of keys?
>
> Meant 'replacement'. You can only have one key in FAS, afaict.
>
>>> * Nine or more characters with lower and upper case letters, digits and
>>> punctuation marks.
>>> * Ten or more characters with lower and upper case letters and digits.
>>> * Twelve or more characters with lower case letters and digits
>>> * Twenty or more characters with all lower case letters.
>>
>> This is just insane. My existing password is 8 digits and
>> alphanumeric, and given that I have to enter it over and over again
>> (and prove "I'm human", another WTF) when creating updates I'm
really
>> wondering if I want to bother.
>>
>> Talk about putting up barriers.
>
> I can think of no reason why everyone shouldn't use a password manager.
> It's just hands down a better way to do things in every respect. Eight
> characters alphanumeric is not actually a very strong password; the
> numbers on how long it'd take to brute force with e.g. EC2 are quite
> tiny. And an account like yours certainly counts as high-value.
In fact there are rainbow tables out there easily available of all 8
alpha numeric combinations where you wouldn't even need EC2 to crack a
lot of them. I know of a couple DBs where they have Terabytes of pre
calculated password hashes and its just a simple string match.
Peter
If FAS uses salts, and the DB hasn't been compromised, then rainbow
tables are useless. If re-encryption is used, then brute force will be
much slower.
Eight char passwords are not ideal, but they are also not trivially
compromised if the system uses relatively basic/simple precautions.
Again, baring a lead of the DB/salts therein.
--
Digimer
E-Mail: digimer(a)alteeve.com
Freenode handle: digimer
Papers and Projects:
http://alteeve.com
Node Assassin:
http://nodeassassin.org
"At what point did we forget that the Space Shuttle was, essentially,
a program that strapped human beings to an explosion and tried to stab
through the sky with fire and math?"