-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/17/2011 08:58 PM, Ricky Zhou wrote: > Hey, so we discussed in the meeting, FAS's password requirements are > currently very lax - just a minimum length of 8 characters. What do we > think the requirements should be changed to? > > One possible strength checker that I mentioned during the meeting was: > http://www.nongnu.org/python-crack/ > > This can use a dictionary to detect weak passwords. > Somewhat tangentially, I'd like to also mention that if we create a set of minimum password requirements, this should be visible not only on the password creation page, but also on the password entry pages (even if it's just a mouse-over of a "?" icon next to the password-entry field). In my experience, people are prone to forgetting their passwords. The best hint we can give a person to remember their password (without requiring them to add a hint message that could reveal information to an attacker) is to allow them to see which set of rules the password had to adhere to. It's an unfortunate truth that many users reuse passwords across multiple sites. In general, they need to maintain a few categories of passwords. e.g. * My password for really low-security sites that I don't care about password * My password for my local computer; just complicated enough so I can remember it but not easily socially-engineered p@s$w0rd * My really secure password for important work stuff P@ssphr@seW|thMany$pecialChars Allowing the user to see that FAS requires e.g. eight or more characters with at least one capital and one special character would narrow the above example down (in this case, only P@ssphr@seW|thMany$pecialChars would meet the requirements, so I'll remember to use that) - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2HPMcACgkQeiVVYja6o6NHOwCgiDl4kIugW3WRUINkJLbowAQn iHQAoKn9x7pOYbkhcOWJ9wpO25QDd/m5 =4mTf -----END PGP SIGNATURE----- _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
