> One solution is of course checking how many different characters are > present in the password and I have a quick patch which does that. Nice > - high enough to make the password strong(er) > - low enough so that in case of brute force the number of possibilities > for each character added remain high. These seem reasonable. I think someone mentioned in a related discussion about checking passwords against rainbow tables and forcing a reset once the password is flagged as existing in a public table. Maybe this would make sense considering it's now relatively cheap to buy a decent rig with plenty of powerful graphics cards. > So, do you have an opinion on the minimal amount of different characters > a password should have ? I think this is tough to answer without falling back on the old statement of ... "it depends." High character count, diverse character sets (letters, numbers, symbols, etc) and mixed case are all important but I wonder how we can balance this with usability? Should we require people to use a password management tool so they can accommodate our complexity rules? Maybe it's a good idea but I for one wouldn't like it. For example, who can say whether a 20 character password comprised of 5 symbols, 5 numbers, 5 upper and 5 lower is better than a 25 character password with a similar composition? I realize various papers exist in this area of security and mentioned one earlier in the year on the list. The one I highlighted concluded passwords are becoming increasingly useless in light of raw computational power. It always strikes me as odd that we strive to require complex passwords with finite computations; such is our present reality. It's a hard problem that requires complementary tools. Such tools might include randomized login delays on failures (I think we do this already), temporary account locking (on suspected brute force) and etc. The more characters the better, the more complex the better, and the less predictable the better. Just my two cents. _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure