[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] password must be more complicated

From: Bob Proulx
Subject: Re: [Savannah-users] password must be more complicated
Date: Tue, 7 May 2013 15:44:46 -0600
User-agent: Mutt/1.5.21 (2010-09-15)

Hi Jan,

Jan Owoc wrote:
> I can confirm that the previous settings in Savannah (haven't
> checked now) would not allow a few completely random passwords
> because they were apparently based on dictionary words.

The recent change should allow people to use paraphrases.  Before
those would have been capped at 40 characters which may have been too
short for a passphrase.  Should work now.  Everything else is pretty
much the same.  Meaning that it is still trouble with some random

> It was immensely frustrating (as a user) to be first told that none
> of my common passwords pass,

Whenever I hear "common passwords" I always cringe.  Please read:

  Why passwords have never been weaker—and crackers have never been stronger

  From the article:
  "The average Web user maintains 25 separate accounts but uses just
  6.5 passwords to protect them..."

I never reuse passwords.  Every site is unique.  I am not an average
user as I have hundreds of accounts.  I accomplish this by keeping a
file of account information.  But any method such as "password wallet"
programs or whatever would be okay too.  There are many ways to
accomplish the goal.

> then turn to a password generator and be told that a password
> looking like "ohtaOe0huChiel9m" is based on a dictionary word.

Yes.  That is exactly the reaction I had as well.

One of the problems is that password checkers usually look at the
plain text of the password.  But crackers either try and try again
using heuristics and dictionaries, or they have access to the hashed
password and crack it with rainbow tables and other parallel attacks.
Having access to the plain text encourages shortcuts that are not
available to the cracker.  It makes for many false positives.

In summary just because "dog" is in the dictionary doesn't make
"2ZJUptQJ5dog7wwq3OMrNd14bxAJ1" insecure because it contains it.

> I think it took me 3 tries to generate something that would be
> acceptable (longer passwords are more likely to have a 4-character
> sub-string that is apparently based on a dictionary word).

Yes.  But longer passwords with pwqcheck are also more likely to be
longer than the minimum lengths configured due to having more
character classes.  Currently 24 characters long is the magic length
to be guaranteed to pass the check.  If generating random passwords
then knowing this and generating 24 random characters would be just as
easy for the human as 17 or 8 as long as they are not typing them in.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]