On Thursday 12 February 2015 17:09:56 Chris Murphy wrote: > I don't have an easy way to prove this, but in a millions+ attempt > brute force attack, I find it difficult to believe that > correcthorsebatterystaple is not attempted, but 6*T!MsjD is attempted. > I had recently read that up to 100 character dictionary only word > based passwords were routinely attempted in brute force attacks. yes, it's rather well known that there are... deficiencies in the way libpwquality scores passwords: https://bugzilla.redhat.com/show_bug.cgi?id=983187 https://bugzilla.redhat.com/show_bug.cgi?id=985463 https://bugzilla.redhat.com/show_bug.cgi?id=970222 https://bugzilla.redhat.com/show_bug.cgi?id=985411 https://bugzilla.redhat.com/show_bug.cgi?id=1005313 https://bugzilla.redhat.com/show_bug.cgi?id=985356 https://bugzilla.redhat.com/show_bug.cgi?id=985364 https://bugzilla.redhat.com/show_bug.cgi?id=1005276 and then cracklib (which is used for the dictionary part of check) has few bugs still: https://bugzilla.redhat.com/show_bug.cgi?id=963769 https://bugzilla.redhat.com/show_bug.cgi?id=986400 https://bugzilla.redhat.com/show_bug.cgi?id=985378 https://bugzilla.redhat.com/show_bug.cgi?id=1146814 I'm all for the change in question (no bad passwords accepted by Anaconda), but for that we *first* need: - libpwquality that has at least a 0.1% rate of false positives, if not lower - generator for good passwords that will pass the above checks and are easy to remember (something that generates "horse battery"-like passwords) and presents them to the user if he or she has problem entering the password What many people forget is that NIST SP 800-63-1 *doesn't* specify that passwords have to be 6 or 8 character long with such-and-such character classes. It says that passwords have to have 10 or 14 bits of *entropy*. It also *requires* rate limiting for the logons. Current password checkers can't even approximate that, let alone check properly. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
