Anaconda 22.17+ enforces "good" passwords
Hubert Kario
hkario at redhat.com
Tue Feb 24 11:36:12 UTC 2015
On Monday 23 February 2015 18:43:39 Chris Murphy wrote:
> On Mon, Feb 23, 2015 at 4:22 PM, Miloslav Trmač <mitr at redhat.com> wrote:
> >> OK so to do the slow down via more SHA512 iterations is essentially
> >> pointless. And to make it actually slow things down meaningfully
> >> necessitates adding some kind of KDF (like scrypt or PBKDF2)
> >> supporting to the authentication path. Are those correct?
> >
> > I don’t know that the algorithm makes a difference here; any hash checking
> > slowdown we would be reasonably willing to endure for protection against
> > dictionary attacks will not be nearly as effective as reasonable rate
> > limiting.
> OK, good.
>
> > AFAICT a good rate limiting / denyhosts-like blacklist would make the
> > higher password quality requirement mostly unnecessary. With rate
> > limiting, strong password quality (beyond the “not obviously stupid”
> > level of password quality) only matters against off-line attacks.
> This comment I think is in scope for the FESCo ticket. It'd also be
> useful exactly how to obtain the "not obviously stupid" check. Is this
> some blacklist made of the top 100,000 most common passwords used in
> 2014 hacks?
common words *and* typical password cracker rules used
otherwise you can end up with stuff like "iloveyou" being on the list but
"iloveyou1" not
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150224/0605be22/attachment.sig>
More information about the security
mailing list