Anaconda 22.17+ enforces "good" passwords

Miloslav Trmač mitr at redhat.com
Fri Feb 27 19:17:29 UTC 2015 

> and I agree, blanket requirement of changing the password every 30 days is
> bad
> 
> but if we say "password never expires" we need to assume (for purposes of
> calculation) a sufficiently long password life-time - like 100 years

“Sufficiently long”, yes.  100 years, no­—other time limits will become binding much earlier:

* Can a botnet survive over 100 years?  Something between 3 and 10 years seems a better guess.
* Will a deployed system stay around for 100 years? The usual hardware warranty is around 3 years, even small businesses tend to upgrade around every 10 years (and change ISPs, i.e. IP addresses, even more frequently).
* Will a botnet continue to hammer a single system after 99 years of failures, or give up and move on to an easier target?

For an untargeted attack, I would expect the last factor to dominate—resiliency for 1–7 days of continuous password guessing intuitively seems like quite sufficient (though this depends not as much on what Fedora does as what OS vendors of other possible targets do).

For a targeted attack from a nation state, I don’t know; passwords tend to get reused over a long time and a nation state may have the resources, interest and means to keep following and attacking the same person/company over their various computing systems for a decade or more easily enough.  The folk wisdom is that any targeted attack like this will eventually succeed, so I’m really not sure where to put the line between “worthwhile effort to protect our users” and “eh, you are screwed anyway, let’s not annoy those who are not targets like you”.

> > > If we use the NIST recommendation of 100 unsuccessful login attempts to
> > > lockout account and 30 day password rotation, then we may be fine with
> > > just 10 bit entropy - that of a random 4 digit PIN or single dictionary
> > > password.
> > OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's
> > been the same for 8+ years.
> 
> it's also locked out after 3 unsuccessful attempts and requires possession of
> hardware token, not a favourable comparison

(FWIW the locking out after 3 tries is not universal; I know of several banks where 3 bad attempts will just cause the current transaction to be aborted and allow you to try elsewhere again immediately (not even locking you out for 24 hours).  But then banks never speak about their internal rate limiting and alarm and automated / manual blocking rules, so we will not know the full picture.)
     Mirek

More information about the security mailing list