Ticket #2804 (closed task: fixed)

Opened 3 years ago

Last modified 3 years ago

Decide on FAS password requirements.

Reported by: ricky Owned by:
Priority: major Milestone: Fedora 15
Component: Security Version:
Severity: Normal Keywords: EasyFix programming
Cc: robatino Blocked By:
Blocking: Sensitive:

Description

Currently, the only requirement on FAS passwords are that they are at least 8 characters long. Should we make this stricter?

Change History

comment:1 Changed 3 years ago by addutko

The folks at University of Amsterdam recommend the following:

  • Nine or more characters with lower and upper case letters, digits and punctuation marks.
  • Ten or more characters with lower and upper case letters and digits.
  • Twelve or more characters with lower case letters and digits

They make another recommendation that passwords expire in a 1/5th of the time required to brute force a key space.

comment:2 Changed 3 years ago by kevin

We decided to go with the suggestions in comment 1.

Should we leave this open for implementation? Or close it out?

comment:3 Changed 3 years ago by ricky

  • Keywords meeting removed
  • Owner changed from lmacken,sysadmin-main-members to ricky
  • Status changed from new to assigned

Remove meeting, will implement this in git soon.

comment:4 Changed 3 years ago by toshio

  • Keywords EasyFix programming added

Let's leave it open and mark it easyfix. It's a fairly self-contained change to fas.

comment:5 Changed 3 years ago by toshio

  • Owner ricky deleted
  • Status changed from assigned to new

comment:6 Changed 3 years ago by robatino

  • Cc robatino added

The website should specify what the maximum password length is (and what characters are allowed), but it currently doesn't AFAICT. (I use a password manager, and whenever a website tells me what the maximum length is, I generate a random password of exactly that length for it.) And if possible, please make sure the key space is large enough that people who take advantage of it aren't forced to change password more than once every couple of years.

comment:7 Changed 3 years ago by toshio

For all lowercase characters, minimum length of 20 was suggested at the meeting.

There shouldn't be a maximum length (even currently).

I've tested that a 104 character string hashes differently than a 103 character truncation of that.

comment:8 Changed 3 years ago by toshio

  • Resolution set to fixed
  • Status changed from new to closed

Done and deployed.

Note: See TracTickets for help on using tickets.