On Fri, Sep 06, 2013 at 02:19:16PM +0100, Daniel P. Berrange wrote:
> > passwords are used. Maybe we could have a policy which requires _longer_
> > passwords but uses a much smaller dictionary?
> Or by default require that every password have at least one non-alphanumeric
> character in it, at which point it'll never match a regular dictionary
> entry ?
I don't think that buys a whole lot, since dictionary-based attacks do the
simple transforms and character additions people usually do to get around
such checks.
$ echo password1 | /usr/sbin/cracklib-check
password1: it is based on a dictionary word
("password" remains the most popular password of all, but "password1" is
right up there.)
This is why I suggest length. NIST password guidelines
(http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf, go to
page 107) suggest that a 16-character (probably all lowercase) password with
no checks is as strong as a 8-character password with dictionary check plus
character set rules.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx>
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
