Anaconda 22.17+ enforces "good" passwords

Tomas Mraz tmraz at redhat.com
Wed Feb 25 13:47:57 UTC 2015 

On St, 2015-02-25 at 14:32 +0100, Hubert Kario wrote:
> On Tuesday 24 February 2015 09:24:36 Chris Murphy wrote:
> > On Tue, Feb 24, 2015 at 9:10 AM, Hubert Kario <hkario at redhat.com> wrote:
> > > thing is, that even if it just comes up once that means that the attackers
> > > either use full publicly available word lists or not entirely trivial
> > > password modification rules ("trustno1" is on 1001th position in RockYou
> > > list)
> > > 
> > > either means that a simple dictionary check won't protect against such
> > > opportunistic attackers
> > > 
> > > note to self: get password list from honeypots
> > 
> > In the UI for setting a password, how does the guideline read for such
> > enforcement?
> > 
> > "Your password must contain at least 8 characters and must contain at
> > least one letter and one numeric or punctuation character" is
> > obviously not going to work.
> 
> I would consider the following to be good interaction:
> 
> For a password like: Troubadour1&
> 
> """
> Your password failed a complexity check, estimated entropy: 17 bits, password 
> pattern detected: dictionary word with simple modifications (capitalise, 
> suffix-1, suffix-symbol). This system requires passwords with at least 20 bits 
> of entropy.
> 
> Please try a different password.
> 
> If nobody else is looking at your screen, you can use one of the following 
> random passwords:
> red mist
> second wanted degree
> however ready respect using
I do not think that two random words password from not too big
dictionary would be sufficiently strong. You have to understand that the
attacker will know which dictionary was used to generate it. And a big
dictionary means that the words will be so obscure that people will not
be able to memorize them much more easily than randomized single word.

> """
> 
> And then when the user enters the "red mist" password, I'd expect it to say:
> 
> """
> Estimated password entropy: 20 bits. Low complexity, acceptable.
> """
> Possibly with a tooltip that says "Password pattern detected: 2 random 
> dictionary words"
> 
> (switch "entropy" with "score" if we want to be user-friendly and not scare 
> users with technicalities)

I am not too confident with the password entropy scoring as presented by
the NIST standard.

> 
> So not only say "your password is bad", but also say _why_ it is bad and 
> provide ready to use passwords that will match the requirement.

All in all yes, this is good proposal, except nobody is working on the
code that would implement it. At least I do not see it as a high
priority for me.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

More information about the security mailing list