On Monday 23 February 2015 18:43:39 Chris Murphy wrote: > On Mon, Feb 23, 2015 at 4:22 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote: > >> OK so to do the slow down via more SHA512 iterations is essentially > >> pointless. And to make it actually slow things down meaningfully > >> necessitates adding some kind of KDF (like scrypt or PBKDF2) > >> supporting to the authentication path. Are those correct? > > > > I don’t know that the algorithm makes a difference here; any hash checking > > slowdown we would be reasonably willing to endure for protection against > > dictionary attacks will not be nearly as effective as reasonable rate > > limiting. > OK, good. > > > AFAICT a good rate limiting / denyhosts-like blacklist would make the > > higher password quality requirement mostly unnecessary. With rate > > limiting, strong password quality (beyond the “not obviously stupid” > > level of password quality) only matters against off-line attacks. > This comment I think is in scope for the FESCo ticket. It'd also be > useful exactly how to obtain the "not obviously stupid" check. Is this > some blacklist made of the top 100,000 most common passwords used in > 2014 hacks? common words *and* typical password cracker rules used otherwise you can end up with stuff like "iloveyou" being on the list but "iloveyou1" not -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
