Hey, so we discussed in the meeting, FAS's password requirements are currently very lax - just a minimum length of 8 characters. What do we think the requirements should be changed to?
One possible strength checker that I mentioned during the meeting was: http://www.nongnu.org/python-crack/
This can use a dictionary to detect weak passwords.
Thoughts? Ricky
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Minimum 12 characters Alphanumeric Mixed case Minimum 2 special characters
- -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Ricky Zhou ricky@fedoraproject.org wrote:
Hey, so we discussed in the meeting, FAS's password requirements are currently very lax - just a minimum length of 8 characters. What do we think the requirements should be changed to? One possible strength checker that I mentioned during the meeting was: http://www.nongnu.org/python-crack/ This can use a dictionary to detect weak passwords. Thoughts? Ricky_____________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
-----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iQE/BAEBCgApBQJNgs6pIhxMYXJyeSBJLiBCcm93ZXIgPGxhcnJ5QG1heHFlLmNv bT4ACgkQGBpdihn77zsO0QgAhDC4pZCi7ozWO/HtgIMtHSkkUp7n9ug5RgY6slLc FBDEA9v/6y1xH1lky8IM4/1XP++AxPfDDA9oX2pwZfnWEX70vPvOnhVQsvsddnga INAYTv00tzvK+xSqZTGdhcdluJzluqbyWC8Y3ws+bwRyuRDSs2Wmi8SgLR//UAjV a0tLnR8y246i6ovA+2v/Pr6OwjvFTWop8gTTpdVeTJSlqHKgSInzFwoFQbB7P7wx NAQT+5cRRY+v9SMTfCvAr2GhhdbOnNBJoBEdxeGqKFB3+T2KqK9Yok5PuJMA75fu GOWxIUKUByBDZNtqIn4sETVgu4sYbgLaG9Qz5DN/DnZKWw== =OcbC -----END PGP SIGNATURE-----
On Thu, 17 Mar 2011 20:58:36 -0400 Ricky Zhou ricky@fedoraproject.org wrote:
Hey, so we discussed in the meeting, FAS's password requirements are currently very lax - just a minimum length of 8 characters. What do we think the requirements should be changed to?
One possible strength checker that I mentioned during the meeting was: http://www.nongnu.org/python-crack/
This can use a dictionary to detect weak passwords.
Thoughts?
I think a bit of requirements could be good here.
What are the requirements used by anaconda/passwd? Many fedora folks should be used to those. pam_cracklib defaults to 8 char I think (man pam_cracklib), but not sure on which other things it gates.
- forbid the login in the password (either forward or backward) - 8 chars - at least 1 upper case - at least 1 special char
Or the like. I think having some requirements is good...
kevin
On Sun, 20 Mar 2011 12:53:05 +1300 Jose Mathew Manimala josemanimala@gmail.com wrote:
Also, I would think we should not allow for same characters adjacent to each other.
For ex, Say - "rep@rcuss1on" this would be hard but a brute force can still crack this.... (offline password crack using johntheripper recent rootkit.com exploit).
well, we want to be careful not to make it too restrictive... because if you have enough rules you are reducing the pool of possible addresses, in the end making it easier to brute force. :) (so long as the rules are known, and we would need to tell our users that, so an attacker would know as well).
Setting up a slowdown in fas for login attempts could also help prevent brute force. (ie, failed attempts take 2x as long each time, etc).
kevin
On Sat, Mar 19, 2011 at 17:49:19 -0600, Kevin Fenzi kevin@scrye.com wrote:
On Thu, 17 Mar 2011 20:58:36 -0400 Ricky Zhou ricky@fedoraproject.org wrote:
Hey, so we discussed in the meeting, FAS's password requirements are currently very lax - just a minimum length of 8 characters. What do we think the requirements should be changed to?
One possible strength checker that I mentioned during the meeting was: http://www.nongnu.org/python-crack/
This can use a dictionary to detect weak passwords.
Thoughts?
I think a bit of requirements could be good here.
We are looking at this issue at work as we are going to need to have around a couple hundred people here at InCommon silver in about 18 months. (And probably more not too long after that.) One nice document on password complexity is in appendix A of the document at: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
This should at least give you guys some things for thought.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/17/2011 08:58 PM, Ricky Zhou wrote:
Hey, so we discussed in the meeting, FAS's password requirements are currently very lax - just a minimum length of 8 characters. What do we think the requirements should be changed to?
One possible strength checker that I mentioned during the meeting was: http://www.nongnu.org/python-crack/
This can use a dictionary to detect weak passwords.
Somewhat tangentially, I'd like to also mention that if we create a set of minimum password requirements, this should be visible not only on the password creation page, but also on the password entry pages (even if it's just a mouse-over of a "?" icon next to the password-entry field).
In my experience, people are prone to forgetting their passwords. The best hint we can give a person to remember their password (without requiring them to add a hint message that could reveal information to an attacker) is to allow them to see which set of rules the password had to adhere to.
It's an unfortunate truth that many users reuse passwords across multiple sites. In general, they need to maintain a few categories of passwords. e.g.
* My password for really low-security sites that I don't care about password * My password for my local computer; just complicated enough so I can remember it but not easily socially-engineered p@s$w0rd * My really secure password for important work stuff P@ssphr@seW|thMany$pecialChars
Allowing the user to see that FAS requires e.g. eight or more characters with at least one capital and one special character would narrow the above example down (in this case, only P@ssphr@seW|thMany$pecialChars would meet the requirements, so I'll remember to use that)
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
infrastructure@lists.fedoraproject.org
-
Bruno Wolff III -
Jose Manimala -
Kevin Fenzi -
Larry Brower -
Ricky Zhou -
Stephen Gallagher