Re: Anaconda 22.17+ enforces "good" passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 24 February 2015 09:24:36 Chris Murphy wrote:
> On Tue, Feb 24, 2015 at 9:10 AM, Hubert Kario <hkario@xxxxxxxxxx> wrote:
> > thing is, that even if it just comes up once that means that the attackers
> > either use full publicly available word lists or not entirely trivial
> > password modification rules ("trustno1" is on 1001th position in RockYou
> > list)
> > 
> > either means that a simple dictionary check won't protect against such
> > opportunistic attackers
> > 
> > note to self: get password list from honeypots
> 
> In the UI for setting a password, how does the guideline read for such
> enforcement?
> 
> "Your password must contain at least 8 characters and must contain at
> least one letter and one numeric or punctuation character" is
> obviously not going to work.

I would consider the following to be good interaction:

For a password like: Troubadour1&

"""
Your password failed a complexity check, estimated entropy: 17 bits, password 
pattern detected: dictionary word with simple modifications (capitalise, 
suffix-1, suffix-symbol). This system requires passwords with at least 20 bits 
of entropy.

Please try a different password.

If nobody else is looking at your screen, you can use one of the following 
random passwords:
red mist
second wanted degree
however ready respect using
"""

And then when the user enters the "red mist" password, I'd expect it to say:

"""
Estimated password entropy: 20 bits. Low complexity, acceptable.
"""
Possibly with a tooltip that says "Password pattern detected: 2 random 
dictionary words"

(switch "entropy" with "score" if we want to be user-friendly and not scare 
users with technicalities)


So not only say "your password is bad", but also say _why_ it is bad and 
provide ready to use passwords that will match the requirement.
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux