> and I agree, blanket requirement of changing the password every 30 days is
> bad
>
> but if we say "password never expires" we need to assume (for purposes of
> calculation) a sufficiently long password life-time - like 100 years
“Sufficiently long”, yes. 100 years, no—other time limits will become binding
much earlier:
* Can a botnet survive over 100 years? Something between 3 and 10 years seems
a better guess.
* Will a deployed system stay around for 100 years? The usual hardware warranty
is around 3 years, even small businesses tend to upgrade around every 10 years
(and change ISPs, i.e. IP addresses, even more frequently).
* Will a botnet continue to hammer a single system after 99 years of failures,
or give up and move on to an easier target?
For an untargeted attack, I would expect the last factor to dominate—resiliency
for 1–7 days of continuous password guessing intuitively seems like quite
sufficient (though this depends not as much on what Fedora does as what OS
vendors of other possible targets do).
For a targeted attack from a nation state, I don’t know; passwords tend to get
reused over a long time and a nation state may have the resources, interest and
means to keep following and attacking the same person/company over their
various computing systems for a decade or more easily enough. The folk wisdom
is that any targeted attack like this will eventually succeed, so I’m really
not sure where to put the line between “worthwhile effort to protect our users”
and “eh, you are screwed anyway, let’s not annoy those who are not targets like
you”.
> > > If we use the NIST recommendation of 100 unsuccessful login attempts to
> > > lockout account and 30 day password rotation, then we may be fine with
> > > just 10 bit entropy - that of a random 4 digit PIN or single dictionary
> > > password.
> > OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's
> > been the same for 8+ years.
>
> it's also locked out after 3 unsuccessful attempts and requires possession of
> hardware token, not a favourable comparison
(FWIW the locking out after 3 tries is not universal; I know of several banks
where 3 bad attempts will just cause the current transaction to be aborted and
allow you to try elsewhere again immediately (not even locking you out for 24
hours). But then banks never speak about their internal rate limiting and
alarm and automated / manual blocking rules, so we will not know the full
picture.)
Mirek
--
security mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/security
