On Mon, Feb 23, 2015 at 4:22 PM, Miloslav Trmač
<mitr(a)redhat.com> wrote:
> AFAICT a good rate limiting / denyhosts-like blacklist would make the
> higher password quality requirement mostly unnecessary. With rate
> limiting, strong password quality (beyond the “not obviously stupid” level
> of password quality) only matters against off-line attacks.
This comment I think is in scope for the FESCo ticket. It'd also be
useful exactly how to obtain the "not obviously stupid" check. Is this
some blacklist made of the top 100,000 most common passwords used in
2014 hacks?
That is not some absolute measure; it is intrinsically linked with how we
rate-limit/otherwise protect passwords. For a hypothetical made-up example, suppose we
decided on a goal that a Fedora box should be able to resist 7 days of continuous password
guessing, _and_ had a ssh rate limiting implementation that restricted the botnet to 1
guess a minute over the 7 days. Then we only need to protect against the 10,080 possible
guesses, i.e. something on the order top 20,000 most common passwords (compare that with
the 479,828 entries in /usr/share/dict/words). Obviously with a different rate
limiting/brute-forcing implementation, or a different goal, the password strength
requirement would be different.
Mirek