On Thu, Feb 26, 2015 at 12:12 PM, Hubert Kario <hkario@xxxxxxxxxx> wrote: > > and I agree, blanket requirement of changing the password every 30 days is bad > > but if we say "password never expires" we need to assume (for purposes of > calculation) a sufficiently long password life-time - like 100 years > > we could go the route of - give me a good enough password and you won't be > required to change it in next x-months or x-years > > but every calculation of security level of a password needs to include: > - amount of tries the attacker can perform per unit of time > - how long the password is useful > - how hard is the password to guess (entropy) > > If the "amount of tries" is "5 million per second", the "how long" is "10 > years" then the password needs to be really complex to keep "1% chance to be > guessed". > > But if you enter "100 tries per 30 days", "30 days" and "10 bits of entropy" > you get "1% chance for the password to be guessed". > > We can tune any value we like, but some other value will change too, otherwise > we will not end up with a system that is as secure as we would like/expect. I just don't see this being even remotely tenable in an OS installer. There are no examples of this being successfully foisted on users yet either. I think the burden is high both for user and development. I think this GUI application needs to be standalone, with no dependency on the installer for now. > >> > If we use the NIST recommendation of 100 unsuccessful login attempts to >> > lockout account and 30 day password rotation, then we may be fine with >> > just 10 bit entropy - that of a random 4 digit PIN or single dictionary >> > password. >> OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's >> been the same for 8+ years. > > it's also locked out after 3 unsuccessful attempts and requires possession of > hardware token, not a favourable comparison Perhaps not favorable, but it's quite useless and relevant because it's exactly what any ordinary user wonders when they're burdened with disproportionate password requirements. Why? It's the mitigating factors. So how do you create mitigating factors that don't affect the user at all? I've never run into the 3 attempt limit of a bank card, I had no idea the limit was that low, because I've never gotten it wrong three times in a row. -- Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
