Anaconda 22.17+ enforces "good" passwords
Stephen John Smoogen
smooge at gmail.com
Wed Feb 25 17:42:51 UTC 2015
On 25 February 2015 at 06:47, Tomas Mraz <tmraz at redhat.com> wrote:
> On St, 2015-02-25 at 14:32 +0100, Hubert Kario wrote:
>
> > If nobody else is looking at your screen, you can use one of the
> following
> > random passwords:
> > red mist
> > second wanted degree
> > however ready respect using
> I do not think that two random words password from not too big
> dictionary would be sufficiently strong. You have to understand that the
> attacker will know which dictionary was used to generate it. And a big
> dictionary means that the words will be so obscure that people will not
> be able to memorize them much more easily than randomized single word.
>
>
Could we drop back from the weeds and go back to a core part. How many bits
of entropy are we wanting to encourage towards passwords? Hubert is saying
20 bits, you have another but not expressed. Are we looking for 40 to be
minimal? 90? 400?
(switch "entropy" with "score" if we want to be user-friendly and not scare
> > users with technicalities)
>
> I am not too confident with the password entropy scoring as presented by
> the NIST standard.
>
>
The NIST standard is meant for passwords which are limited in length and
was designed to be used from the days when passwords were limited to 7 or 8
characters. So trying to apply its scoring in unlimited length passwords is
definitely suspect.
However unless we can agree to some sort of measurement system then every
thing we 'impose' is going to be no better than throwing salt over our
shoulder and turning 3 times windershin.
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150225/20b83936/attachment.html>
More information about the security
mailing list