On Wed, 2011-10-12 at 14:37 -0400, Przemek Klosowski wrote: > On 10/12/2011 01:41 PM, Richard Hughes wrote: > > On 12 October 2011 17:44, Kevin Fenzi<kevin@xxxxxxxxx> wrote: > >> * Nine or more characters with lower and upper case letters, digits and > >> punctuation marks. > >> * Ten or more characters with lower and upper case letters and digits. > >> * Twelve or more characters with lower case letters and digits > >> * Twenty or more characters with all lower case letters. > > > > This is just insane. My existing password is 8 digits and > > alphanumeric, and given that I have to enter it over and over again > > (and prove "I'm human", another WTF) when creating updates I'm really > > wondering if I want to bother. > > Length beats out larger character set, which is nicely illustrated by > the XKCD cartoon > > http://imgs.xkcd.com/comics/password_strength.png > > Considering that it's hard to type a wide character set (I probably > touch-type '&' correctly about 70% of the time), I actually like long > alpha passwords. > > It is strange though that the complexity of the new requirements varies > so much: > > (24+24+10+12)^9 or 4.0354e+16 > (24+24+10)^10 or 4.3080e+17 > (24+24)^12 or 1.4959e+20 > (24)^20 or 4.0200e+27 > > except, of course, the alphabetic strings aren't likely to be purely > random but rather dictionary words, which would reduce the complexity > spread. This rules are very restricting. If I want to use _random_ lower case letters, I have to remember 20 random characters and have marginally more secure password compared to people who use lower case, upper case and digits? Even just 14 random lower case letters have bigger complexity than the other cases. I can use 12 characters long random lower case password, or "aaaaaaaaaaaaaaaaaaaa". I will not be remembering 20 random letters. Please change the rules to have at least similar complexity. > > Richard's complexity is (24+24+10)^8, or 1.2806e+14 which is not that > much worse than the low end. We all know that he'll just add '1' to his > existing password :) > > > > except, of course, the alphabetic strings aren't going to be purely > random but rather dictionary words, which would reduce the complexity > spread. -- Martin Gracik <mgracik@xxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
