and I agree, blanket requirement of changing the password every 30
days is
bad
but if we say "password never expires" we need to assume (for purposes of
calculation) a sufficiently long password life-time - like 100 years
“Sufficiently long”, yes. 100 years, no—other time limits will become binding much
earlier:
* Can a botnet survive over 100 years? Something between 3 and 10 years seems a better
guess.
* Will a deployed system stay around for 100 years? The usual hardware warranty is around
3 years, even small businesses tend to upgrade around every 10 years (and change ISPs,
i.e. IP addresses, even more frequently).
* Will a botnet continue to hammer a single system after 99 years of failures, or give up
and move on to an easier target?
For an untargeted attack, I would expect the last factor to dominate—resiliency for 1–7
days of continuous password guessing intuitively seems like quite sufficient (though this
depends not as much on what Fedora does as what OS vendors of other possible targets do).
For a targeted attack from a nation state, I don’t know; passwords tend to get reused over
a long time and a nation state may have the resources, interest and means to keep
following and attacking the same person/company over their various computing systems for a
decade or more easily enough. The folk wisdom is that any targeted attack like this will
eventually succeed, so I’m really not sure where to put the line between “worthwhile
effort to protect our users” and “eh, you are screwed anyway, let’s not annoy those who
are not targets like you”.
> > If we use the NIST recommendation of 100 unsuccessful login
attempts to
> > lockout account and 30 day password rotation, then we may be fine with
> > just 10 bit entropy - that of a random 4 digit PIN or single dictionary
> > password.
> OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's
> been the same for 8+ years.
it's also locked out after 3 unsuccessful attempts and requires possession of
hardware token, not a favourable comparison
(FWIW the locking out after 3 tries is not universal; I know of several banks where 3 bad
attempts will just cause the current transaction to be aborted and allow you to try
elsewhere again immediately (not even locking you out for 24 hours). But then banks never
speak about their internal rate limiting and alarm and automated / manual blocking rules,
so we will not know the full picture.)
Mirek