= phenomenon =
At the moment while checking if a password is valid FAS does not check
how many characters are present.
Thus it allows things like: "aaaaaaaaaaaaaaaaaaaa" as password.
One solution is of course checking how many different characters are
present in the password and I have a quick patch which does that.
However while discussing about this with Kevin and Toshio on IRC we did
not find what would be an optimal number of character different in the
password which would be:
- high enough to make the password strong(er)
- low enough so that in case of brute force the number of possibilities
for each character added remain high.
So, do you have an opinion on the minimal amount of different characters
a password should have ?
= reason =
Security is hard.
= recommendation =
pingou: I guess it is all a matter of balance pros and cons but I cannot make my
mind on what is best ('aaaaaaaaaaaaaaaaaaaa' still seem to be a horrible
password to me).
styluseater: I was not implying the patch isn't worthwhile or that we shouldn't
apply it. I'm interested to hear feedback as to what you think would
be a good solution and the reasoning behind your thoughts. abadger1999
and nirik are more familiar with our systems than I am so beyond what
you stated in the mailing list earlier I'm not sure what wasn't
discussed during your IRC session. I believe abadger1999 is also the
project lead so I think any changes related to security would need to
be approved by him.
It's a hard problem that requires complementary tools. Such tools
might include randomized login delays on failures (I think we do this
already), temporary account locking (on suspected brute force) and
We should try to come up with some action items related to the above concerns.
I think this is duplicate (or better triplicate) of: [ticket:3027] [ticket:3064]
I'll try to summarize them on [ticket:3027].
Yeah, lets consolidate these. ;)
Please see ticket 3027 for more.
to comment on this ticket.