3:39 a.m.
Hi,
today, Red Hat Bugzilla forced me to change my password because apparently a
password of 9 random alphanumeric+symbol characters (1 symbol, 8 mixed-case
alphanumeric) is suddenly no longer considered secure enough. This is
absolutely ridiculous for a bug tracker. It is not like that password is for
a bank account or for a build system (I believe FAS and thus Koji actually
has less stringent password security requirements than that!), so how secure
does the password really have to be?
I have generated a new 20-character random password with "pwgen -s 20 1",
and that is good enough for Bugzilla (but who knows for how long?), but this
is absolutely absurd.
Kevin Kofler
5:24 a.m.
On Fri, Oct 14, 2022 at 1:39 AM Kevin Kofler via devel
<devel(a)lists.fedoraproject.org> wrote:
... but this is absolutely absurd.
To (mis) quote Randy Bush: "their application, their rules".
If you don't like them, find another provider.
I hope that RedHat quickly supports passkeys, where
this all becomes moot.
Unless you share your specific password (please do
*NOT* *NOT* do so), there is no way to know for sure
if the password has other issues.
For example, technically, PassWORD! meets most
minimal length and mixed case requirements, but
is clearly not a good password.
10:14 a.m.
On 14-10-2022 03:39, Kevin Kofler via devel wrote:
It is not like that password is for
a bank account or for a build system (I believe FAS and thus Koji actually
has less stringent password security requirements than that!), so how secure
does the password really have to be?
You basically already mentioned your way out: log in with FAS.
-- Sandro
10:28 a.m.
V Fri, Oct 14, 2022 at 03:39:32AM +0200, Kevin Kofler via devel napsal(a):
today, Red Hat Bugzilla forced me to change my password because
apparently a
password of 9 random alphanumeric+symbol characters (1 symbol, 8 mixed-case
alphanumeric) is suddenly no longer considered secure enough. This is
absolutely ridiculous for a bug tracker. It is not like that password is for
a bank account or for a build system (I believe FAS and thus Koji actually
has less stringent password security requirements than that!), so how secure
does the password really have to be?
Bugzilla contain data about embargoed vulnerabilities.
-- Petr
10:30 a.m.
W dniu 14.10.2022 o 03:39, Kevin Kofler via devel pisze:
today, Red Hat Bugzilla forced me to change my password because
apparently a password of 9 random alphanumeric+symbol characters (1
symbol, 8 mixed-case alphanumeric) is suddenly no longer considered
secure enough. This is absolutely ridiculous for a bug tracker.
This bug tracker is also used to track several other products. Has
several bug raports marked as private for security or confidential or
other reasons. Fedora is just one of products tracked there.
It is not like that password is for a bank account or for a build
system (I believe FAS and thus Koji actually has less stringent
password security requirements than that!), so how secure does the
password really have to be?
9 characters password in 2022 is considered 'easy breakable' thanks to
power of GPUs.
Maybe start using some password manager to generate and store long
enough passwords? Or invent easy to remember ones like "I am Kevin
Kofler and this is my password#$78"?
11:01 p.m.
Marcin Juszkiewicz wrote:
9 characters password in 2022 is considered 'easy breakable'
thanks to
power of GPUs.
To "break" the password offline with a GPU, you need a hashed password to
begin with. If I log in securely over HTTPS and if the server is not
compromised (and neither is my computer), you do not get my password,
neither hashed nor unhashed. So then you need to actually brute-force the
password by logging in to the server, the GPU will not help you a bit, and
you will likely get blacklisted pretty quickly. So I see this as an absolute
non-issue.
Maybe start using some password manager to generate and store long
enough passwords?
Well, yes, I store the password in KWallet, so it was not a major
inconvenience to have to generate and store a new one. It was just an
entirely unnecessary inconvenience.
Kevin Kofler
1:31 p.m.
Kevin Kofler via devel wrote:
I have generated a new 20-character random password with "pwgen
-s 20 1",
See how easy that was. And your using random passcodes tells me that
you keep them in a password manager, which means that you don't need to
type the passcode, so you have no need to limit its length.
Can't you find some actual problem to be angry over?
Björn Persson
11:04 p.m.
Sérgio Basto wrote:
please try `pwgen -s 20 1 -cny`
Good idea, though it actually accepted the 20-character alphanumeric
password without symbols just fine. I believe there used to be a requirement
for a symbol, but this does not seem to be a hard requirement anymore, there
is a more complex strength check now.
Kevin Kofler
603
days inactive
604
days old
8 comments
7 participants
participants (7)
-
Björn Persson -
Gary Buhrmaster -
Kevin Kofler -
Marcin Juszkiewicz -
Petr Pisar -
Sandro -
Sérgio Basto