Anaconda 22.17+ enforces "good" passwords
Hubert Kario
hkario at redhat.com
Wed Feb 25 14:02:21 UTC 2015
On Wednesday 25 February 2015 14:47:57 Tomas Mraz wrote:
> On St, 2015-02-25 at 14:32 +0100, Hubert Kario wrote:
> > On Tuesday 24 February 2015 09:24:36 Chris Murphy wrote:
> > > On Tue, Feb 24, 2015 at 9:10 AM, Hubert Kario <hkario at redhat.com> wrote:
> > > > thing is, that even if it just comes up once that means that the
> > > > attackers
> > > > either use full publicly available word lists or not entirely trivial
> > > > password modification rules ("trustno1" is on 1001th position in
> > > > RockYou
> > > > list)
> > > >
> > > > either means that a simple dictionary check won't protect against such
> > > > opportunistic attackers
> > > >
> > > > note to self: get password list from honeypots
> > >
> > > In the UI for setting a password, how does the guideline read for such
> > > enforcement?
> > >
> > > "Your password must contain at least 8 characters and must contain at
> > > least one letter and one numeric or punctuation character" is
> > > obviously not going to work.
> >
> > I would consider the following to be good interaction:
> >
> > For a password like: Troubadour1&
> >
> > """
> > Your password failed a complexity check, estimated entropy: 17 bits,
> > password pattern detected: dictionary word with simple modifications
> > (capitalise, suffix-1, suffix-symbol). This system requires passwords
> > with at least 20 bits of entropy.
> >
> > Please try a different password.
> >
> > If nobody else is looking at your screen, you can use one of the following
> > random passwords:
> > red mist
> > second wanted degree
> > however ready respect using
>
> I do not think that two random words password from not too big
> dictionary would be sufficiently strong. You have to understand that the
> attacker will know which dictionary was used to generate it. And a big
> dictionary means that the words will be so obscure that people will not
> be able to memorize them much more easily than randomized single word.
2 "symbols" selected at random from 1024 large symbol list give 20 bit
entropy, no matter how you look at it. Make the dictionary 2048 large and you
have the room to spare for occasional situations where the selected word from
two dictionaries is the same and you throw away such picks.
With rate limiting that does meet NIST SP 800-63-1 with plenty of room to
spare.
> > """
> >
> > And then when the user enters the "red mist" password, I'd expect it to
> > say:
> >
> > """
> > Estimated password entropy: 20 bits. Low complexity, acceptable.
> > """
> > Possibly with a tooltip that says "Password pattern detected: 2 random
> > dictionary words"
> >
> > (switch "entropy" with "score" if we want to be user-friendly and not
> > scare
> > users with technicalities)
>
> I am not too confident with the password entropy scoring as presented by
> the NIST standard.
The standard doesn't define a way to estimate entropy, it just specifies the
lower bound of it and a _suggested_ way to do that (which was shown to be
greatly inadequate by multiple researchers).
> > So not only say "your password is bad", but also say _why_ it is bad and
> > provide ready to use passwords that will match the requirement.
>
> All in all yes, this is good proposal, except nobody is working on the
> code that would implement it. At least I do not see it as a high
> priority for me.
Unfortunately my time situation is similar, I will gladly help with such
project, but I don't have time to lead the project myself.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150225/c6cf7adc/attachment.sig>
More information about the security
mailing list