[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] [savannah-help-public] [sr #108600] Regist
From: |
beuc |
Subject: |
Re: [Savannah-hackers-public] [savannah-help-public] [sr #108600] Registration b0rked |
Date: |
Thu, 26 Jun 2014 19:40:42 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Jun 26, 2014 at 05:28:37PM +0000, Karl Berry wrote:
> http://savannah.gnu.org/support/?108600
> ...
> The password I was choosing should be plenty strong for this.
>
> I admit I have some sympathy with the view that our password
> requirements are too stringent. How about requiring only two classes
> for eight-char passwords instead of three? Sure, it is weaker, but
> there's a tradeoff between pain for users (high) and likelihood of a bad
> guy ever getting the encrypted passwords (low). Besides, if a bad guy
> does get the encrypted pws, that probably means they have root on
> savannah and our problems are a lot worse than 2-class vs. 3-class
> passwords.
Just a couple notes:
- it's meant to support easy-to-remember https://xkcd.com/936/
- last time we got a compromise (2010), the user had the encrypted
passwords (through SQL injection), but he didn't get root.
--
Sylvain