Hi Jan, Jan Owoc wrote: > I can confirm that the previous settings in Savannah (haven't > checked now) would not allow a few completely random passwords > because they were apparently based on dictionary words.
The recent change should allow people to use paraphrases. Before those would have been capped at 40 characters which may have been too short for a passphrase. Should work now. Everything else is pretty much the same. Meaning that it is still trouble with some random passwords. > It was immensely frustrating (as a user) to be first told that none > of my common passwords pass, Whenever I hear "common passwords" I always cringe. Please read: Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ From the article: "The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them..." I never reuse passwords. Every site is unique. I am not an average user as I have hundreds of accounts. I accomplish this by keeping a file of account information. But any method such as "password wallet" programs or whatever would be okay too. There are many ways to accomplish the goal. > then turn to a password generator and be told that a password > looking like "ohtaOe0huChiel9m" is based on a dictionary word. Yes. That is exactly the reaction I had as well. One of the problems is that password checkers usually look at the plain text of the password. But crackers either try and try again using heuristics and dictionaries, or they have access to the hashed password and crack it with rainbow tables and other parallel attacks. Having access to the plain text encourages shortcuts that are not available to the cracker. It makes for many false positives. In summary just because "dog" is in the dictionary doesn't make "2ZJUptQJ5dog7wwq3OMrNd14bxAJ1" insecure because it contains it. > I think it took me 3 tries to generate something that would be > acceptable (longer passwords are more likely to have a 4-character > sub-string that is apparently based on a dictionary word). Yes. But longer passwords with pwqcheck are also more likely to be longer than the minimum lengths configured due to having more character classes. Currently 24 characters long is the magic length to be guaranteed to pass the check. If generating random passwords then knowing this and generating 24 random characters would be just as easy for the human as 17 or 8 as long as they are not typing them in. Bob