FESCO request to revert password confirmation change in F22

Stephen John Smoogen smooge at gmail.com
Sun Mar 8 19:04:30 UTC 2015

On 8 March 2015 at 08:41, Mike Pinkerton <pselists at mindspring.com> wrote:

> Ok, to bring this back around to where we started -- password quality
> checkers on Fedora:
> 1.  By positing a "strategic" attacker, we have now reduced the time we
> expect it to take him/her to crack our 29 character password ("
> rastafarianestablishmentarian"), with whatever amount of entropy it has,
> to a matter of weeks or months rather than millions of years.  Even if we
> had used a slightly longer password with upper case and numerals --
> Rastafarianestablishmentarian2015 -- that would probably still be true
> because it matches a common pattern of initial upper case and appended
> numerals.
> 2.  Humans are so good at patterns that we tend to embed them in
> everything we do, knowingly or unknowingly.  Given that, any password or
> passphrase that a random user can easily remember is likely to match a
> fairly common pattern.
> 3.  How do you get your password quality checker to recognize all such
> patterns, rather than just computing a string's entropy?
You can't give an absolute number in deterministic time because the problem
you are trying to solve is pretty much the travelling sales person problem
in one form or another. You can come up with short cuts to give approximate
level of 'strength' but you can't give an absolute 0/1 answer. The problem
is that the better that you want me to gauge your password's strength the
more resources (memory, time, etc) I need to do it. At a certain point it
is not worth it so we are going to have to choose a methodology as a first
guess and go with that.

Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150308/ba2b7a0e/attachment.html>

More information about the devel mailing list