FAS password complexity requirements

Stephen Gallagher sgallagh at redhat.com
Mon Mar 21 11:55:57 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/17/2011 08:58 PM, Ricky Zhou wrote:
> Hey, so we discussed in the meeting, FAS's password requirements are
> currently very lax - just a minimum length of 8 characters.  What do we
> think the requirements should be changed to?
> 
> One possible strength checker that I mentioned during the meeting was:
> http://www.nongnu.org/python-crack/
> 
> This can use a dictionary to detect weak passwords.
> 

Somewhat tangentially, I'd like to also mention that if we create a set
of minimum password requirements, this should be visible not only on the
password creation page, but also on the password entry pages (even if
it's just a mouse-over of a "?" icon next to the password-entry field).

In my experience, people are prone to forgetting their passwords. The
best hint we can give a person to remember their password (without
requiring them to add a hint message that could reveal information to an
attacker) is to allow them to see which set of rules the password had to
adhere to.

It's an unfortunate truth that many users reuse passwords across
multiple sites. In general, they need to maintain a few categories of
passwords. e.g.

 * My password for really low-security sites that I don't care about
  password
 * My password for my local computer; just complicated enough so I can
remember it but not easily socially-engineered
  p at s$w0rd
 * My really secure password for important work stuff
  P at ssphr@seW|thMany$pecialChars

Allowing the user to see that FAS requires e.g. eight or more characters
with at least one capital and one special character would narrow the
above example down (in this case, only P at ssphr@seW|thMany$pecialChars
would meet the requirements, so I'll remember to use that)


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2HPMcACgkQeiVVYja6o6NHOwCgiDl4kIugW3WRUINkJLbowAQn
iHQAoKn9x7pOYbkhcOWJ9wpO25QDd/m5
=4mTf
-----END PGP SIGNATURE-----

More information about the infrastructure mailing list