Anaconda 22.17+ enforces "good" passwords

Tomas Mraz tmraz at redhat.com
Thu Feb 26 09:50:18 UTC 2015 

On St, 2015-02-25 at 22:54 -0700, Chris Murphy wrote:
> On Wed, Feb 25, 2015 at 12:24 PM, Miloslav Trmač <mitr at redhat.com> wrote:
> 
> >> If nobody else is looking at your screen, you can use one of the following
> >> random passwords:
> >> red mist
> >> second wanted degree
> >> however ready respect using
> >> """
> >
> > Now this is an useful idea.  We should have this.  (The required never-ending nowhere-leading discussion about what the recommendations should look like notwithstanding.)
> 
> OK well at least there's acknowledgement, at least on this list, that
> there need to be visible recommendations in the UI rather than the
> user given a text fail whale. I don't know if there's consensus on
> this point.
> 
> What about a "pronounceable" password creator, one that explicitly
> doesn't use dictionary words? Based on the aforementioned 2009
> estimated cost to brute force attack passwords, it still looks like
> passwords like "however ready respect using" can't possibly be all
> that safe against a voluminous attack. If you want to go to all this
> work building such a thing and translating it, why not help the user
> create completely non-dictionary passphrases that have some change of
> being memorable by virtue of being pronounceable. Plus, the proposal
> should be nonsense in any language, which seems less
> Amero/Anglocentric.
> 
> anguleatimplesc
> nitypeyrosentra
> mideakeremicamo
> spenhutendempis
> 
> And so on. I got these from Lastpass which lets me choose 'make
> pronounceable' as an advanced option, and I can pick any length. The
> argument against is that chances are the user has to write these down
> at least temporarily until memorized. *shrug* But that could be true
> for four word passphrases too.

Note that there is already pronounceable password generator in the
libpwquality library. You can test it with the pwmake command. The
generated passwords contain also some numbers and special characters so
that they can be shorter with the same entropy. The lowest entropy
passwords that are possible to generate have 56 bits which might be a
little bit too much though for cases where online attacks are
rate-limited.
Examples:
owt4NYt=AtYg
uj-iMuhIh5Im
HYk at qziL4fmE
aHaRiP=yccUp

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

More information about the security mailing list