On 8 March 2015 at 08:41, Mike Pinkerton <pselists@xxxxxxxxxxxxxx> wrote:
-- Ok, to bring this back around to where we started -- password quality checkers on Fedora:
1. By positing a "strategic" attacker, we have now reduced the time we expect it to take him/her to crack our 29 character password ("rastafarianestablishmentarian"), with whatever amount of entropy it has, to a matter of weeks or months rather than millions of years. Even if we had used a slightly longer password with upper case and numerals -- Rastafarianestablishmentarian2015 -- that would probably still be true because it matches a common pattern of initial upper case and appended numerals.
2. Humans are so good at patterns that we tend to embed them in everything we do, knowingly or unknowingly. Given that, any password or passphrase that a random user can easily remember is likely to match a fairly common pattern.
3. How do you get your password quality checker to recognize all such patterns, rather than just computing a string's entropy?
You can't give an absolute number in deterministic time because the problem you are trying to solve is pretty much the travelling sales person problem in one form or another. You can come up with short cuts to give approximate level of 'strength' but you can't give an absolute 0/1 answer. The problem is that the better that you want me to gauge your password's strength the more resources (memory, time, etc) I need to do it. At a certain point it is not worth it so we are going to have to choose a methodology as a first guess and go with that.
Stephen J Smoogen.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
