On Wednesday 25 February 2015 22:54:18 Chris Murphy wrote: > On Wed, Feb 25, 2015 at 12:24 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote: > >> If nobody else is looking at your screen, you can use one of the > >> following > >> random passwords: > >> red mist > >> second wanted degree > >> however ready respect using > >> """ > > > > Now this is an useful idea. We should have this. (The required > > never-ending nowhere-leading discussion about what the recommendations > > should look like notwithstanding.) > OK well at least there's acknowledgement, at least on this list, that > there need to be visible recommendations in the UI rather than the > user given a text fail whale. I don't know if there's consensus on > this point. > > What about a "pronounceable" password creator, one that explicitly > doesn't use dictionary words? I have used this method before and didn't find pronounceable gibberish to be easy to remember, words are much more so. But I don't have anything against providing few different style passwords to the user - one with random words, other with random syllables and even one with completely random characters. But all the presented passwords must pass the later check and. > Based on the aforementioned 2009 > estimated cost to brute force attack passwords, it still looks like > passwords like "however ready respect using" can't possibly be all > that safe against a voluminous attack. The NIST recommendation are for on-line systems where the password is used (and as such, is useful) for a limited amount of time and you have complete control over amount of tries the attacker can perform. The bruteforce you're talking about is for offline attacks where the attacker has access to password hashes - useful for guidelines for disk encryption or private key encryption, not so much for regular login password. > If you want to go to all this > work building such a thing and translating it, why not help the user > create completely non-dictionary passphrases that have some change of > being memorable by virtue of being pronounceable. Plus, the proposal > should be nonsense in any language, which seems less > Amero/Anglocentric. > > anguleatimplesc > nitypeyrosentra > mideakeremicamo > spenhutendempis Diceware already has word lists in many languages, don't see why we couldn't have different random passwords (from different dictionaries) if the user selected different installer language. And what you consider pronounceable really depends on the language you speak... For example this is completely valid Czech sentence: Strč prst skrz krk Yes, it doesn't contain a single vowel :) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
