On Thu, Feb 26, 2015 at 3:30 AM, Hubert Kario <hkario@xxxxxxxxxx> wrote: > Talking about entropy without talking about how severe will be the rate > limiting or password lifetimes will also lead us nowhere. OK, so the password lifetime thing: I just fired my ISP for having 3 month mandatory password changes. I think it's a bad idea that actually makes us less safe. https://www.schneier.com/blog/archives/2010/11/changing_passwo.html > If we use the NIST recommendation of 100 unsuccessful login attempts to > lockout account and 30 day password rotation, then we may be fine with just 10 > bit entropy - that of a random 4 digit PIN or single dictionary password. OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's been the same for 8+ years. I strongly advise when considering what work needs to be done, you consider what sort of work will be resoundly rejected. Overwhelmingly users will reject both password quality enforcement and expirations. So if they're totally off the table, now what? What's your next design idea for harding? Because *that* is the one that probably has the best bang for the buck. To put a finer point on this: some of you probably assume the human primate is much more agreeable than they really are. The thing is, as soon as they get to a certain threshold of frustration, they go bezerk. They scream, they throw things, they create uproar, make all sorts of off topic rants and insults – incredible amounts of irrational behavior. And there's a reason for this. It's a successful sociological behavior. If the uproar is just wide spread enough, if enough peripheral individuals who otherwise would say nothing see a fellow primate flipping out then they feels like it's socially acceptable to complain also (rationally or irrationally) when they otherwise wouldn't; people will be sucked into a vortex of manufactured controversy explicitly (though unconsciously) designed for the minority to veto a change. The entire point is to be disruptive. And this has happened before on this very issue the last time Anaconda folks changed the password behavior. And I think the current behavior in the installer (the change) is more controversial than that one. Now maybe our fellow primates get riled up and worn out about some other controversy first. And somehow the password change sneaks in under the radar. I seriously doubt it, and I think expecting it will is very high risk. I think we're better off assuming the worst, not the best, and trying to leave the unpredictable user out of the equation entirely until absolutely necessary. So for any of you who don't like verbal fist fights? You're not serious. You don't take these changes seriously enough if you're not willing to argue vehemently, angrily, in favor of them. You have to demonstrate to your fellow primates that this is serious business and we have no alternatives right now than to shift the burden to the user. If you can't do that and stick with it, give it up. Instead, consider the alternatives that don't require user cooperation. -- Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
