On Wednesday 25 February 2015 14:24:37 Miloslav Trmač wrote:
> I would consider the following to be good interaction:
>
> For a password like: Troubadour1&
>
> """
> Your password failed a complexity check, estimated entropy: 17 bits,
> password pattern detected: dictionary word with simple modifications
> (capitalise, suffix-1, suffix-symbol). This system requires passwords
> with at least 20 bits
> of entropy.
That ends up saying “too bad, try something else” like we already do, except
there are more scary words ☺ Showing the pattern that was detected does
nothing to show _other_ patterns that will also not be allowed.
Well, every kind of rule that results in rejection can be summed up as "too
bad, try something else".
The point of it is to learn users *not* to use "clever" tricks they have been
using to get past password filters, like appending "1!" and capitalising the
word to pass the "4 character classes" rule. Same tricks crackers have been
using for decades now to guess the passwords.
And it does actually _show_ you what will be accepted right below: plain
english words.
> If nobody else is looking at your screen, you can use one of the
following
> random passwords:
> red mist
> second wanted degree
> however ready respect using
> """
Now this is an useful idea. We should have this. (The required
never-ending nowhere-leading discussion about what the recommendations
should look like notwithstanding.) Mirek
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic