Re: FESCO request to revert password confirmation change in F22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike Pinkerton wrote:
> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
> > On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> >> I hope  https://xkcd.com/936/will be among the inputs to that
> >> discussion.
> >
> > I'm fond of noting that pwquality has not yet blacklisted any variant
> > of correcthorsebatterystaple. I've been using correcthorse as my stock
> > anaconda testing password, since the strength check has been
> > enforced...
> 
> It won't stand up to a combinator attack:
> 
> <https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html>

It's not entirely clear, but I guess you mean that a two-word
combination like "correct horse" won't stand up. That appears to be
true. A four-word phrase is an entirely different matter. Each
additional word increases the complexity exponentially, so doubling the
number of words squares the number of possible combinations.

The catch is that the words must be *randomly* chosen. XKCD doesn't
stress that point much, and humans are notoriously bad at choosing
randomly. I suspect that many people make up some highly nonrandom
four-word passphrase and think they have a "correct horse battery
staple"-quality passphrase.

Björn Persson

Attachment: pgp19NOissKAt.pgp
Description: OpenPGP digital signatur

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux