FESCO request to revert password confirmation change in F22

Mike Pinkerton pselists at mindspring.com
Sat Mar 7 22:33:31 UTC 2015

On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:

> On 7 March 2015 at 11:53, Mike Pinkerton <pselists at mindspring.com>  
> wrote:
> On 7 Mar 2015, at 10:41, Björn Persson wrote:
> Mike Pinkerton wrote:
> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
> On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> I hope  https://xkcd.com/936/will be among the inputs to that
> discussion.
> I'm fond of noting that pwquality has not yet blacklisted any variant
> of correcthorsebatterystaple. I've been using correcthorse as my stock
> anaconda testing password, since the strength check has been
> enforced...
> It won't stand up to a combinator attack:
> <https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html>
> It's not entirely clear, but I guess you mean that a two-word
> combination like "correct horse" won't stand up. That appears to be
> true. A four-word phrase is an entirely different matter. Each
> additional word increases the complexity exponentially, so doubling  
> the
> number of words squares the number of possible combinations.
> The "combinator" attack that is described in the Ars Technica  
> article that Bruce Schneier quotes in the above link appears to be  
> an attack that tries combinations of multiple words from one or  
> more of the attacker's word lists.  Certainly adding more words to  
> the pass-phrase would make that more difficult.  As I don't know  
> the current state of the art in password cracking, I don't know  
> whether attackers typically limit their attacks to only two words,  
> or extend to three or more words.
> They limit it to 1-2 words because it takes a LONG time to crack  
> SHA512crypt passwords. You can do on average 32k -> 128k hash crypt  
> checks per second per password. A two word dictionary of diceware  
> would have 2^25.85 passwords in it. A single system is going to  
> take 256 seconds on 2 words. Add in 3 words (2^38.775) and it is 24  
> days. Add in a 4th word and it is 544 years. Add in a 5th word and  
> it is 4.5 million years.

Apparently Diceware's creator is not as confident as you -- he nows  
recommends more than 5 words.


Perhaps improvements in graphics cards have changed the calculus in  
recent years.

> While writing this up I went and checked that the whole thing is  
> outlined point for point in wikipedia
> http://en.wikipedia.org/wiki/Password_strength
> To estimate the time just do the following:
> $15,000 computer -> 128k/sec = 2^17. Lets assume moore's law comes  
> in and we have 2^20 by 2020.
> Take the possible entropy and subtract the 2^17 and that will give  
> you the worst case. I believe it may be 1/4 of that so make it  
> subtract 2^19 currently for one system and 2^29 for a cluster of  
> 1024 computers (so 15 million dollars).
> 2 words is going to be (25.85-19) 115 seconds for one system and  
> 0.1 for big ass cluster.
> 3 words is going to be (38.78-19) 236 hours ). <1 day for big ass  
> cluster
> 4 words is going to be (51.70-19) 221 years).  < 1 year
> 5 words is going to be (64.63-19) 1.7 million years) < 1700 years.  
> (or 1.7 years for a 15 billion dollar investment).
> To get equivalent strength from say an all lower case password you  
> are going to need 14 [a-z] characters.
> Now here is the funny thing. All that speed to get 128k is if the  
> password is less than around 12 characters for most cracking  
> software due to the way the hardware and algorithms have been  
> optimized. If the string is longer than that the hardware drops in  
> speed by orders of magnitude. So correctstaple is actually going to  
> take longer than I said. In fact all the numbers I put for 3+ words  
> is probably going to be 10-100 times longer.

All of this assumes that the attacker is trying to brute force the  
entire string -- character by character.  In the Ars Technica article  
I linked to in my previous message, the attackers did not try to  
brute force anything over 6 characters.  Instead, they used other  
strategies, including the combinator strategy that would have broken  

> There are 2 caveats.
> 1) Once again, Adam was being sarcastic. He knows the password  
> isn't any good because well he TOLD everyone what it was. He was  
> making fun of the fact that libpwquality does not blacklist it..  
> which means that correctstaple is the new password of choice (when  
> the old one might have been 123456)

I saw your first note that Adam was being sarcastic -- although it  
probably doesn't matter what password he is using for offline testing  
of Anaconda and release candidates.

I was responding to Björn Persson's suggestion that, in discussions  
of password quality, correcthorsebatterystaple would be an example of  
a safe password.  My point is that, if attackers are using strategies  
other than brute forcing, which the Ars Technica article suggests is  
the case, then constructing long passwords out of known words is  
probably not a safe strategy.

Because the word lists used by attackers are lists of strings that  
they have scraped from various sources -- human language  
dictionaries, password strings found in previous attacks, passwords  
publicized by Adam on mailing lists, strings constructed on patterns  
(e.g., "7kids", "8kids"), etc. -- a string that one would normally  
think of as four words -- correcthorsebatterystaple -- once it has  
been discovered as a password once and added to the attacker's word  
list, becomes only one word for all future cracking attempts.

> 2) This is always true http://xkcd.com/538/
> And finally. If one were to take the top 1 million known passwords  
> as the dictionary.. then each word would have about 20 bits of  
> entropy. A password generator that outputted stuff like
> 123456 password trustn01 letmein1
> would take 256 or more longer to brute force crack than using  
> diceware. Actually that sounds like a nice project to add to my  
> EN_RN translation project.

Except that the attackers aren't brute forcing long passwords.   
Apparently, they can successfully crack a ridiculously high  
percentage (90% in the Ars Technica experiment) in the space of a day  
using other techniques.

How much entropy does "rastafarianestablishmentarian" have?  With the  
techniques attackers are using, I doubt it would take even one hour  
to crack it.

That was my point.


More information about the devel mailing list