> On Mon, Feb 23, 2015 at 4:22 PM, Miloslav Trmač <[email protected]> wrote:
> > AFAICT a good rate limiting / denyhosts-like blacklist would make the
> > higher password quality requirement mostly unnecessary. With rate
> > limiting, strong password quality (beyond the “not obviously stupid” level
> > of password quality) only matters against off-line attacks.
>
> This comment I think is in scope for the FESCo ticket. It'd also be
> useful exactly how to obtain the "not obviously stupid" check. Is this
> some blacklist made of the top 100,000 most common passwords used in
> 2014 hacks?
That is not some absolute measure; it is intrinsically linked with how we
rate-limit/otherwise protect passwords. For a hypothetical made-up example,
suppose we decided on a goal that a Fedora box should be able to resist 7 days
of continuous password guessing, _and_ had a ssh rate limiting implementation
that restricted the botnet to 1 guess a minute over the 7 days. Then we only
need to protect against the 10,080 possible guesses, i.e. something on the
order top 20,000 most common passwords (compare that with the 479,828 entries
in /usr/share/dict/words). Obviously with a different rate
limiting/brute-forcing implementation, or a different goal, the password
strength requirement would be different.
Mirek
--
security mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/security
