On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: > On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote: >> On 12 October 2011 17:44, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> > All existing users of the Fedora Account System (FAS) at >> > https://admin.fedoraproject.org/accounts are required to change their >> > password and upload a NEW ssh public key before 2011-11-30. >> >> I have to upload a *new* public key? Why should I have two sets of keys? > > Meant 'replacement'. You can only have one key in FAS, afaict. > >> > * Nine or more characters with lower and upper case letters, digits and >> > punctuation marks. >> > * Ten or more characters with lower and upper case letters and digits. >> > * Twelve or more characters with lower case letters and digits >> > * Twenty or more characters with all lower case letters. >> >> This is just insane. My existing password is 8 digits and >> alphanumeric, and given that I have to enter it over and over again >> (and prove "I'm human", another WTF) when creating updates I'm really >> wondering if I want to bother. >> >> Talk about putting up barriers. > > I can think of no reason why everyone shouldn't use a password manager. > It's just hands down a better way to do things in every respect. Eight > characters alphanumeric is not actually a very strong password; the > numbers on how long it'd take to brute force with e.g. EC2 are quite > tiny. And an account like yours certainly counts as high-value. In fact there are rainbow tables out there easily available of all 8 alpha numeric combinations where you wouldn't even need EC2 to crack a lot of them. I know of a couple DBs where they have Terabytes of pre calculated password hashes and its just a simple string match. Peter -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
