On Wednesday 25 February 2015 14:24:37 Miloslav Trmač wrote: > > I would consider the following to be good interaction: > > > > For a password like: Troubadour1& > > > > """ > > Your password failed a complexity check, estimated entropy: 17 bits, > > password pattern detected: dictionary word with simple modifications > > (capitalise, suffix-1, suffix-symbol). This system requires passwords > > with at least 20 bits > > of entropy. > > That ends up saying “too bad, try something else” like we already do, except > there are more scary words ☺ Showing the pattern that was detected does > nothing to show _other_ patterns that will also not be allowed. Well, every kind of rule that results in rejection can be summed up as "too bad, try something else". The point of it is to learn users *not* to use "clever" tricks they have been using to get past password filters, like appending "1!" and capitalising the word to pass the "4 character classes" rule. Same tricks crackers have been using for decades now to guess the passwords. And it does actually _show_ you what will be accepted right below: plain english words. > > If nobody else is looking at your screen, you can use one of the following > > random passwords: > > red mist > > second wanted degree > > however ready respect using > > """ > > Now this is an useful idea. We should have this. (The required > never-ending nowhere-leading discussion about what the recommendations > should look like notwithstanding.) Mirek -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
