On Sun, Mar 8, 2015 at 8:44 AM, Björn Persson <Bjorn@rombobjörn.se> wrote: > Mike Pinkerton wrote: >> I was responding to Björn Persson's suggestion that, in discussions >> of password quality, correcthorsebatterystaple would be an example of >> a safe password. > > Safe_r_. Security in passphrases isn't a binary thing. XKCD 936 > demonstrates that "correct horse battery staple" is much more secure > than "Tr0ub4dor&3". (It shows the math in nice graphical form, very > easy to follow.) Whether one or the other is secure enough depends on > what you use it for. > > (Of course those two specific examples are worthless as passphrases now > that they're famous.) Right. I'm the guy that brought up the XKCD comic. The actual message of the comic is entertaining, and enlightening. Our modern password creation policies are forcing us to follow arbitrary mathematical rules that make our passwords *impossible to remember*. And it gets worse. If you have RSI, or a bad keyboard or visual issues, or use a speech-text system, and you're having to type an 8 character mixed case, non-alphabetical passphrase that *you cannot visually review or confirm*, password generation becomes nightmarish. >> My point is that, if attackers are using strategies >> other than brute forcing, which the Ars Technica article suggests is >> the case, then constructing long passwords out of known words is >> probably not a safe strategy. > > Those strategies are designed to crack bad passphrases that adhere to > common patterns. They don't help with cracking *random* passphrases. > > And again, the security lies in *how many* words you use. There's also a counterproductive effect. Passwords that are enforced, by policy, to be nonsensical gibberish tend to be written down, because no one can remember them. And because no one can remember them, they're written down in easily accessed locations. The classic storage is the Post-it note on the secretary's desk, but I see a lot of people who should know better writing them into source control systems that everyone in the company can read. >> Except that the attackers aren't brute forcing long passwords. >> Apparently, they can successfully crack a ridiculously high >> percentage (90% in the Ars Technica experiment) in the space of a day >> using other techniques. > > Because a ridiculously high percentage of passwords are badly chosen. > > Björn Persson And a ridiculous number of them are being set, permanently, for admins and trusted users who couldn't spell "password rotation" if you tattooed one word on each hand. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
