Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Digimer linux at
Wed Oct 12 18:12:50 UTC 2011

On 10/12/2011 02:10 PM, Peter Robinson wrote:
> On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson<awilliam at>  wrote:
>> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>>> On 12 October 2011 17:44, Kevin Fenzi<kevin at>  wrote:
>>>> All existing users of the Fedora Account System (FAS) at
>>>> are required to change their
>>>> password and upload a NEW ssh public key before 2011-11-30.
>>> I have to upload a *new* public key? Why should I have two sets of keys?
>> Meant 'replacement'. You can only have one key in FAS, afaict.
>>>> * Nine or more characters with lower and upper case letters, digits and
>>>>   punctuation marks.
>>>> * Ten or more characters with lower and upper case letters and digits.
>>>> * Twelve or more characters with lower case letters and digits
>>>> * Twenty or more characters with all lower case letters.
>>> This is just insane. My existing password is 8 digits and
>>> alphanumeric, and given that I have to enter it over and over again
>>> (and prove "I'm human", another WTF) when creating updates I'm really
>>> wondering if I want to bother.
>>> Talk about putting up barriers.
>> I can think of no reason why everyone shouldn't use a password manager.
>> It's just hands down a better way to do things in every respect. Eight
>> characters alphanumeric is not actually a very strong password; the
>> numbers on how long it'd take to brute force with e.g. EC2 are quite
>> tiny. And an account like yours certainly counts as high-value.
> In fact there are rainbow tables out there easily available of all 8
> alpha numeric combinations where you wouldn't even need EC2 to crack a
> lot of them. I know of a couple DBs where they have Terabytes of pre
> calculated password hashes and its just a simple string match.
> Peter

If FAS uses salts, and the DB hasn't been compromised, then rainbow 
tables are useless. If re-encryption is used, then brute force will be 
much slower.

Eight char passwords are not ideal, but they are also not trivially 
compromised if the system uses relatively basic/simple precautions. 
Again, baring a lead of the DB/salts therein.

E-Mail:              digimer at
Freenode handle:     digimer
Papers and Projects:
Node Assassin:
"At what point did we forget that the Space Shuttle was, essentially,
a program that strapped human beings to an explosion and tried to stab
through the sky with fire and math?"

More information about the devel mailing list