Password diversity

Pierre-Yves Chibon pingou at pingoured.fr
Wed Nov 30 19:18:08 UTC 2011


Hi,

At the moment while checking if a password is valid FAS does not check
how many characters are present.
Thus it allows things like: "aaaaaaaaaaaaaaaaaaaa" as password.

One solution is of course checking how many different characters are
present in the password and I have a quick patch which does that.
However while discussing about this with Kevin and Toshio on IRC we did
not find what would be an optimal number of character different in the
password which would be:
- high enough to make the password strong(er)
- low enough so that in case of brute force the number of possibilities
for each character added remain high.

So, do you have an opinion on the minimal amount of different characters
a password should have ?

Thanks,
Pierre



More information about the infrastructure mailing list