User: Password:
|
|
Subscribe / Log in / New account

Fedora account system (FAS) potential information disclosure

Fedora account system (FAS) potential information disclosure

Posted May 13, 2013 22:28 UTC (Mon) by rahvin (subscriber, #16953)
In reply to: Fedora account system (FAS) potential information disclosure by pabs
Parent article: Fedora account system (FAS) potential information disclosure

If you can't remember it you are doing it wrong. I'm an advocate of phrases that you remember and mean something only to you, use appropriate capitalization and punctuation and you will more than likely have a stronger security than even the most complicated of passwords. The passphrase(s) I've started using exceed 20 characters and is very easy to remember, fast to type and I don't have the risk of pieces of paper laying around that compromise the security or can get lost.

I stopped using passwords when I started grep'ing the ones I use commonly against the big password lists that you can use with John the Ripper. I found most of my obscure passwords are in the list with slight variations. Though a nice random one is probably secure, it's darn near impossible to remember. We need to do away with the password and open the field up to 255 characters so people can start using easy to remember phrases.


(Log in to post comments)

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 0:07 UTC (Tue) by paulj (subscriber, #341) [Link]

So long as we have pass-words/phrases, we need to remember 2 constraints:

a) Most of us can't remember more than a few of them

b) Passwords should not be re-used across accounts, other than in the few exceptional cases that have identical security risks/consequences.

Given we tend to have dozens of pass-word/phrase secured accounts, this implies:

* We must reserve passwords that we commit to memory for a select few accounts - the most sensitive ones (banking? the email account that you register with, which any "password reset" emails will be sent to?)

* The rest of the passwords, for the less sensitive accounts, must be recorded somewhere, for we can not remember them (use the password saving feature of your browser? write them down on paper and keep that somewhere safe?)

Writing down passwords is, despite the advice of some well-meaning security "experts", not only acceptable, but may be more effective and keep you more secure. For it can allow you to choose truly random passwords for the vast majority of accounts.

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 7:09 UTC (Tue) by jezuch (subscriber, #52988) [Link]

> a) Most of us can't remember more than a few of them

Make the passphrase describe the site you're trying to log in, in a way that only your unique way of thinking could make up. And do it in an obscure language. My choice is la.lojban. ;)

Fedora account system (FAS) potential information disclosure

Posted May 31, 2013 3:48 UTC (Fri) by pabs (subscriber, #43278) [Link]

The advantage of Diceware is that the generated passwords are completely random, contain enough entropy and are fairly memorable:

https://xkcd.com/936/

Adding capitalization and punctuation makes passphrases harder to remember. Especially in stressful situations.

I agree that passphrases need to be gotten rid of. The only appropriate use for them is in a local context; login passphrases and passphrases used for the decryption of secret keys stored locally (LUKS, GPG, SSH etc). Even those need to be long, memorable and random.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds