On Fri, Sep 06, 2013 at 02:19:16PM +0100, Daniel P. Berrange wrote:
> passwords are used. Maybe we could have a policy which requires
_longer_
> passwords but uses a much smaller dictionary?
Or by default require that every password have at least one non-alphanumeric
character in it, at which point it'll never match a regular dictionary
entry ?
I don't think that buys a whole lot, since dictionary-based attacks do the
simple transforms and character additions people usually do to get around
such checks.
$ echo password1 | /usr/sbin/cracklib-check
password1: it is based on a dictionary word
("password" remains the most popular password of all, but "password1"
is
right up there.)
This is why I suggest length. NIST password guidelines
(
http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf, go to
page 107) suggest that a 16-character (probably all lowercase) password with
no checks is as strong as a 8-character password with dictionary check plus
character set rules.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>