Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Digimer
linux at alteeve.com
Wed Oct 12 18:12:50 UTC 2011
On 10/12/2011 02:10 PM, Peter Robinson wrote:
> On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson<awilliam at redhat.com> wrote:
>> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>>> On 12 October 2011 17:44, Kevin Fenzi<kevin at scrye.com> wrote:
>>>> All existing users of the Fedora Account System (FAS) at
>>>> https://admin.fedoraproject.org/accounts are required to change their
>>>> password and upload a NEW ssh public key before 2011-11-30.
>>>
>>> I have to upload a *new* public key? Why should I have two sets of keys?
>>
>> Meant 'replacement'. You can only have one key in FAS, afaict.
>>
>>>> * Nine or more characters with lower and upper case letters, digits and
>>>> punctuation marks.
>>>> * Ten or more characters with lower and upper case letters and digits.
>>>> * Twelve or more characters with lower case letters and digits
>>>> * Twenty or more characters with all lower case letters.
>>>
>>> This is just insane. My existing password is 8 digits and
>>> alphanumeric, and given that I have to enter it over and over again
>>> (and prove "I'm human", another WTF) when creating updates I'm really
>>> wondering if I want to bother.
>>>
>>> Talk about putting up barriers.
>>
>> I can think of no reason why everyone shouldn't use a password manager.
>> It's just hands down a better way to do things in every respect. Eight
>> characters alphanumeric is not actually a very strong password; the
>> numbers on how long it'd take to brute force with e.g. EC2 are quite
>> tiny. And an account like yours certainly counts as high-value.
>
> In fact there are rainbow tables out there easily available of all 8
> alpha numeric combinations where you wouldn't even need EC2 to crack a
> lot of them. I know of a couple DBs where they have Terabytes of pre
> calculated password hashes and its just a simple string match.
>
> Peter
If FAS uses salts, and the DB hasn't been compromised, then rainbow
tables are useless. If re-encryption is used, then brute force will be
much slower.
Eight char passwords are not ideal, but they are also not trivially
compromised if the system uses relatively basic/simple precautions.
Again, baring a lead of the DB/salts therein.
--
Digimer
E-Mail: digimer at alteeve.com
Freenode handle: digimer
Papers and Projects: http://alteeve.com
Node Assassin: http://nodeassassin.org
"At what point did we forget that the Space Shuttle was, essentially,
a program that strapped human beings to an explosion and tried to stab
through the sky with fire and math?"
More information about the devel
mailing list