On 10/12/2011 02:10 PM, Peter Robinson wrote: > On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson<awilliam@xxxxxxxxxx> wrote: >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote: >>> On 12 October 2011 17:44, Kevin Fenzi<kevin@xxxxxxxxx> wrote: >>>> All existing users of the Fedora Account System (FAS) at >>>> https://admin.fedoraproject.org/accounts are required to change their >>>> password and upload a NEW ssh public key before 2011-11-30. >>> >>> I have to upload a *new* public key? Why should I have two sets of keys? >> >> Meant 'replacement'. You can only have one key in FAS, afaict. >> >>>> * Nine or more characters with lower and upper case letters, digits and >>>> punctuation marks. >>>> * Ten or more characters with lower and upper case letters and digits. >>>> * Twelve or more characters with lower case letters and digits >>>> * Twenty or more characters with all lower case letters. >>> >>> This is just insane. My existing password is 8 digits and >>> alphanumeric, and given that I have to enter it over and over again >>> (and prove "I'm human", another WTF) when creating updates I'm really >>> wondering if I want to bother. >>> >>> Talk about putting up barriers. >> >> I can think of no reason why everyone shouldn't use a password manager. >> It's just hands down a better way to do things in every respect. Eight >> characters alphanumeric is not actually a very strong password; the >> numbers on how long it'd take to brute force with e.g. EC2 are quite >> tiny. And an account like yours certainly counts as high-value. > > In fact there are rainbow tables out there easily available of all 8 > alpha numeric combinations where you wouldn't even need EC2 to crack a > lot of them. I know of a couple DBs where they have Terabytes of pre > calculated password hashes and its just a simple string match. > > Peter If FAS uses salts, and the DB hasn't been compromised, then rainbow tables are useless. If re-encryption is used, then brute force will be much slower. Eight char passwords are not ideal, but they are also not trivially compromised if the system uses relatively basic/simple precautions. Again, baring a lead of the DB/salts therein. -- Digimer E-Mail: digimer@xxxxxxxxxxx Freenode handle: digimer Papers and Projects: http://alteeve.com Node Assassin: http://nodeassassin.org "At what point did we forget that the Space Shuttle was, essentially, a program that strapped human beings to an explosion and tried to stab through the sky with fire and math?" -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
