Anaconda 22.17+ enforces "good" passwords
Hubert Kario
hkario at redhat.com
Thu Feb 26 10:58:45 UTC 2015
On Wednesday 25 February 2015 22:54:18 Chris Murphy wrote:
> On Wed, Feb 25, 2015 at 12:24 PM, Miloslav Trmač <mitr at redhat.com> wrote:
> >> If nobody else is looking at your screen, you can use one of the
> >> following
> >> random passwords:
> >> red mist
> >> second wanted degree
> >> however ready respect using
> >> """
> >
> > Now this is an useful idea. We should have this. (The required
> > never-ending nowhere-leading discussion about what the recommendations
> > should look like notwithstanding.)
> OK well at least there's acknowledgement, at least on this list, that
> there need to be visible recommendations in the UI rather than the
> user given a text fail whale. I don't know if there's consensus on
> this point.
>
> What about a "pronounceable" password creator, one that explicitly
> doesn't use dictionary words?
I have used this method before and didn't find pronounceable gibberish to be
easy to remember, words are much more so.
But I don't have anything against providing few different style passwords to
the user - one with random words, other with random syllables and even one
with completely random characters. But all the presented passwords must pass
the later check and.
> Based on the aforementioned 2009
> estimated cost to brute force attack passwords, it still looks like
> passwords like "however ready respect using" can't possibly be all
> that safe against a voluminous attack.
The NIST recommendation are for on-line systems where the password is used
(and as such, is useful) for a limited amount of time and you have complete
control over amount of tries the attacker can perform.
The bruteforce you're talking about is for offline attacks where the attacker
has access to password hashes - useful for guidelines for disk encryption or
private key encryption, not so much for regular login password.
> If you want to go to all this
> work building such a thing and translating it, why not help the user
> create completely non-dictionary passphrases that have some change of
> being memorable by virtue of being pronounceable. Plus, the proposal
> should be nonsense in any language, which seems less
> Amero/Anglocentric.
>
> anguleatimplesc
> nitypeyrosentra
> mideakeremicamo
> spenhutendempis
Diceware already has word lists in many languages, don't see why we couldn't
have different random passwords (from different dictionaries) if the user
selected different installer language.
And what you consider pronounceable really depends on the language you
speak... For example this is completely valid Czech sentence:
Strč prst skrz krk
Yes, it doesn't contain a single vowel :)
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150226/c117cb74/attachment.sig>
More information about the security
mailing list