FESCO request to revert password confirmation change in F22

Mike Pinkerton pselists at mindspring.com
Sat Mar 7 18:53:58 UTC 2015

On 7 Mar 2015, at 10:41, Björn Persson wrote:

> Mike Pinkerton wrote:
>> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
>>> On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
>>>> I hope  https://xkcd.com/936/will be among the inputs to that
>>>> discussion.
>>> I'm fond of noting that pwquality has not yet blacklisted any  
>>> variant
>>> of correcthorsebatterystaple. I've been using correcthorse as my  
>>> stock
>>> anaconda testing password, since the strength check has been
>>> enforced...
>> It won't stand up to a combinator attack:
>> <https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html>
> It's not entirely clear, but I guess you mean that a two-word
> combination like "correct horse" won't stand up. That appears to be
> true. A four-word phrase is an entirely different matter. Each
> additional word increases the complexity exponentially, so doubling  
> the
> number of words squares the number of possible combinations.

The "combinator" attack that is described in the Ars Technica article  
that Bruce Schneier quotes in the above link appears to be an attack  
that tries combinations of multiple words from one or more of the  
attacker's word lists.  Certainly adding more words to the pass- 
phrase would make that more difficult.  As I don't know the current  
state of the art in password cracking, I don't know whether attackers  
typically limit their attacks to only two words, or extend to three  
or more words.

> The catch is that the words must be *randomly* chosen. XKCD doesn't
> stress that point much, and humans are notoriously bad at choosing
> randomly. I suspect that many people make up some highly nonrandom
> four-word passphrase and think they have a "correct horse battery
> staple"-quality passphrase.

I don't think randomness matters at all, only whether the words are  
in the word list(s) used by the attacker.  In the Ars Technica  
article, one attacker was using multiple lists, one of which included  
111 million words.  Another attacker limited himself to a list of 14  
million words -- which were real-world passwords that were exposed in  
an SQL-injection hack several years ago.  Note that these "words" are  
simply strings -- some might be recognizable as "words" in a spoken  
or written language, while others are just character strings (e.g.,  
"momof3g" or "8kids") that the attacker has culled from one source or  


More information about the devel mailing list