> On Mon, Feb 23, 2015 at 4:22 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote:
> > AFAICT a good rate limiting / denyhosts-like blacklist would make the
> > higher password quality requirement mostly unnecessary. With rate
> > limiting, strong password quality (beyond the “not obviously stupid” level
> > of password quality) only matters against off-line attacks.
>
> This comment I think is in scope for the FESCo ticket. It'd also be
> useful exactly how to obtain the "not obviously stupid" check. Is this
> some blacklist made of the top 100,000 most common passwords used in
> 2014 hacks?
That is not some absolute measure; it is intrinsically linked with how we rate-limit/otherwise protect passwords. For a hypothetical made-up example, suppose we decided on a goal that a Fedora box should be able to resist 7 days of continuous password guessing, _and_ had a ssh rate limiting implementation that restricted the botnet to 1 guess a minute over the 7 days. Then we only need to protect against the 10,080 possible guesses, i.e. something on the order top 20,000 most common passwords (compare that with the 479,828 entries in /usr/share/dict/words). Obviously with a different rate limiting/brute-forcing implementation, or a different goal, the password strength requirement would be different.
Mirek
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
