Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Martin Gracik mgracik at redhat.com
Thu Oct 13 12:19:01 UTC 2011 

On Wed, 2011-10-12 at 14:37 -0400, Przemek Klosowski wrote:
> On 10/12/2011 01:41 PM, Richard Hughes wrote:
> > On 12 October 2011 17:44, Kevin Fenzi<kevin at scrye.com>  wrote:
> >> * Nine or more characters with lower and upper case letters, digits and
> >>   punctuation marks.
> >> * Ten or more characters with lower and upper case letters and digits.
> >> * Twelve or more characters with lower case letters and digits
> >> * Twenty or more characters with all lower case letters.
> >
> > This is just insane. My existing password is 8 digits and
> > alphanumeric, and given that I have to enter it over and over again
> > (and prove "I'm human", another WTF) when creating updates I'm really
> > wondering if I want to bother.
> 
> Length beats out larger character set, which is nicely illustrated by 
> the XKCD cartoon
> 
> http://imgs.xkcd.com/comics/password_strength.png
> 
> Considering that it's hard to type a wide character set (I probably 
> touch-type '&' correctly about 70% of the time), I actually like long 
> alpha passwords.
> 
> It is strange though that the complexity of the new requirements varies 
> so much:
> 
> (24+24+10+12)^9  or 4.0354e+16
> (24+24+10)^10    or 4.3080e+17
> (24+24)^12       or 1.4959e+20
> (24)^20          or 4.0200e+27
> 
> except, of course, the alphabetic strings aren't likely to be purely 
> random but rather dictionary words, which would reduce the complexity 
> spread.

This rules are very restricting.

If I want to use _random_ lower case letters, I have to remember 20
random characters and have marginally more secure password compared to
people who use lower case, upper case and digits?

Even just 14 random lower case letters have bigger complexity than the
other cases.

I can use 12 characters long random lower case password, or
"aaaaaaaaaaaaaaaaaaaa". I will not be remembering 20 random letters.

Please change the rules to have at least similar complexity.

> 
> Richard's complexity is (24+24+10)^8, or 1.2806e+14 which is not that 
> much worse than the low end. We all know that he'll just add '1' to his 
> existing password :)
> 
> 
> 
> except, of course, the alphabetic strings aren't going to be purely 
> random but rather dictionary words, which would reduce the complexity 
> spread.

-- 
Martin Gracik <mgracik at redhat.com>

More information about the devel mailing list