On St, 2015-02-25 at 14:32 +0100, Hubert Kario wrote:
On Tuesday 24 February 2015 09:24:36 Chris Murphy wrote:
> On Tue, Feb 24, 2015 at 9:10 AM, Hubert Kario <hkario(a)redhat.com> wrote:
> > thing is, that even if it just comes up once that means that the attackers
> > either use full publicly available word lists or not entirely trivial
> > password modification rules ("trustno1" is on 1001th position in
> > list)
> > either means that a simple dictionary check won't protect against such
> > opportunistic attackers
> > note to self: get password list from honeypots
> In the UI for setting a password, how does the guideline read for such
> "Your password must contain at least 8 characters and must contain at
> least one letter and one numeric or punctuation character" is
> obviously not going to work.
I would consider the following to be good interaction:
For a password like: Troubadour1&
Your password failed a complexity check, estimated entropy: 17 bits, password
pattern detected: dictionary word with simple modifications (capitalise,
suffix-1, suffix-symbol). This system requires passwords with at least 20 bits
Please try a different password.
If nobody else is looking at your screen, you can use one of the following
second wanted degree
however ready respect using
I do not think that two random words password from not
dictionary would be sufficiently strong. You have to understand that the
attacker will know which dictionary was used to generate it. And a big
dictionary means that the words will be so obscure that people will not
be able to memorize them much more easily than randomized single word.
And then when the user enters the "red mist" password, I'd expect it to
Estimated password entropy: 20 bits. Low complexity, acceptable.
Possibly with a tooltip that says "Password pattern detected: 2 random
(switch "entropy" with "score" if we want to be user-friendly and not
users with technicalities)
I am not too confident with the password entropy scoring as presented by
the NIST standard.
So not only say "your password is bad", but also say _why_ it is bad and
provide ready to use passwords that will match the requirement.
All in all yes, this is good proposal, except nobody is working on the
code that would implement it. At least I do not see it as a high
priority for me.
No matter how far down the wrong road you've gone, turn back.
(You'll never know whether the road is wrong though.)