FESCO request to revert password confirmation change in F22
Björn Persson
Bjorn at xn--rombobjrn-67a.se
Sat Mar 7 15:41:01 UTC 2015
Mike Pinkerton wrote:
> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
> > On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> >> I hope https://xkcd.com/936/will be among the inputs to that
> >> discussion.
> >
> > I'm fond of noting that pwquality has not yet blacklisted any variant
> > of correcthorsebatterystaple. I've been using correcthorse as my stock
> > anaconda testing password, since the strength check has been
> > enforced...
>
> It won't stand up to a combinator attack:
>
> <https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html>
It's not entirely clear, but I guess you mean that a two-word
combination like "correct horse" won't stand up. That appears to be
true. A four-word phrase is an entirely different matter. Each
additional word increases the complexity exponentially, so doubling the
number of words squares the number of possible combinations.
The catch is that the words must be *randomly* chosen. XKCD doesn't
stress that point much, and humans are notoriously bad at choosing
randomly. I suspect that many people make up some highly nonrandom
four-word passphrase and think they have a "correct horse battery
staple"-quality passphrase.
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150307/1c6297c1/attachment.sig>
More information about the devel
mailing list