FESCO request to revert password confirmation change in F22

Michael Catanzaro mcatanzaro at gnome.org
Sat Mar 7 01:58:11 UTC 2015


On Fri, 2015-03-06 at 19:25 -0500, Miloslav Trma─Ź wrote:
> The way we deploy LUKS, a single password guess takes one second on a comparable hardware, so the fuzz factor is not actually as large as it might seem.

Wow, I had no clue it was that good. OK, so making one guess at the user
account password every ~three seconds would not be an unreasonable
attack, once you've stolen the computer, given how slow it would be to
attack LUKS. I had incorrectly assumed that the difference in speed
would be orders of magnitude.

Still, this is not a realistic threat for most users, and it would take
forever to attack either way, so this really just convinces me that I
can be safe with a much weaker disk encryption password than I had
previously imagined. :)



More information about the devel mailing list