Anaconda 22.17+ enforces "good" passwords

Hubert Kario hkario at
Fri Feb 13 11:00:03 UTC 2015

On Thursday 12 February 2015 17:09:56 Chris Murphy wrote:
> I don't have an easy way to prove this, but in a millions+ attempt
> brute force attack, I find it difficult to believe that
> correcthorsebatterystaple is not attempted, but 6*T!MsjD is attempted.
> I had recently read that up to 100 character dictionary only word
> based passwords were routinely attempted in brute force attacks.

yes, it's rather well known that there are... deficiencies in the way 
libpwquality scores passwords:

and then cracklib (which is used for the dictionary part of check) has few 
bugs still:

I'm all for the change in question (no bad passwords accepted by Anaconda), 
but for that we *first* need:
 - libpwquality that has at least a 0.1% rate of false positives, if not lower
 - generator for good passwords that will pass the above checks and are easy 
   to remember (something that generates "horse battery"-like passwords) and 
   presents them to the user if he or she has problem entering the password

What many people forget is that NIST SP 800-63-1 *doesn't* specify that 
passwords have to be 6 or 8 character long with such-and-such character 
classes. It says that passwords have to have 10 or 14 bits of *entropy*. It 
also *requires* rate limiting for the logons. Current password checkers can't 
even approximate that, let alone check properly.
Hubert Kario
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the security mailing list