Re: [aur-dev] [PATCH] Increase minimum password length to 8 characters

[Lukas Fleischer]

On Wed, 04 Jan 2017 at 00:03:35, Alex Muller via aur-dev wrote:
> Patch follows, thanks for your help!

Merged to pu. Thanks!

Re: [aur-dev] [PATCH] Increase minimum password length to 8 characters

[Alex Muller via aur-dev]

> Since this is also in the patch, I would not really include these
> paragraphs in
> the patch since they are not all that necessary to be that verbose about
> it.

Removed a bit of the context from the commit message.

> I would change this to "Fixes: FS#52297" instead.

Updated to just "Relates to" because I'd like to see the codebase stop
using MD5 for passwords before I consider that fixed :)

Patch follows, thanks for your help!


>From d1cffe291c93073f62272c17aae1346dfabe4f55 Mon Sep 17 00:00:00 2001
From: Alex Muller 
Date: Mon, 2 Jan 2017 11:09:44 +
Subject: [PATCH] Increase minimum password length to 8 characters

There are 95 printable ASCII characters which with a minimum length
of 4 gives 95^4 or 81 million possible passwords. Increasing the
minimum length to 8 increases the number of possible passwords by
a factor of about 10^7.

Relates to FS#52297.

Signed-off-by: Alex Muller 
---
 conf/config.proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/config.proto b/conf/config.proto
index 96fad80..63e2458 100644
--- a/conf/config.proto
+++ b/conf/config.proto
@@ -9,7 +9,7 @@ password = aur
 [options]
 username_min_len = 3
 username_max_len = 16
-passwd_min_len = 4
+passwd_min_len = 8
 default_lang = en
 sql_debug = 0
 max_sessions_per_user = 8
-- 
2.11.0

Re: [aur-dev] [PATCH] Increase minimum password length to 8 characters

[Mark Weiman]

On Mon, 2017-01-02 at 12:41 +, Alex Muller via aur-dev wrote:
> Hi,
> 
> I'm new to AUR so I hope sending a patch like this is the correct thing
> to do.
> 

Use git-send-email(1) or send the patch inline instead of adding a patch as an
attachment and make sure you sign-off on the patch.

> There are 95 printable ASCII characters which with a minimum length
> of 4 gives 95^4 or 81 million possible passwords.
> 
> Increasing the minimum length to 8 increases the number of possible
> passwords by a factor of about 10^7. I imagine most AUR users have
> pretty good password practice so they won't be affected by this change,
> but it will improve security for a subset of users.
> 
> For a given user I can generate all 4 character passwords on my laptop
> in under 2 minutes in Python and therefore all 5 character passwords
> in a few hours. This change makes it much harder (but still nowhere
> near impossible) to brute force generate passwords.
> 

Since this is also in the patch, I would not really include these paragraphs in
the patch since they are not all that necessary to be that verbose about it.

> FS#52297 
> 

I would change this to "Fixes: FS#52297" instead.

> Cheers,
> 
> Alex

Mark Weiman

[aur-dev] [PATCH] Increase minimum password length to 8 characters

[Alex Muller via aur-dev]

Hi,

I'm new to AUR so I hope sending a patch like this is the correct thing
to do.

There are 95 printable ASCII characters which with a minimum length
of 4 gives 95^4 or 81 million possible passwords.

Increasing the minimum length to 8 increases the number of possible
passwords by a factor of about 10^7. I imagine most AUR users have
pretty good password practice so they won't be affected by this change,
but it will improve security for a subset of users.

For a given user I can generate all 4 character passwords on my laptop
in under 2 minutes in Python and therefore all 5 character passwords
in a few hours. This change makes it much harder (but still nowhere
near impossible) to brute force generate passwords.

FS#52297 

Cheers,

Alex
From d09b53429a78dc7119866efa17bc97a3c25cff76 Mon Sep 17 00:00:00 2001
From: Alex Muller 
Date: Mon, 2 Jan 2017 11:09:44 +
Subject: [PATCH] Increase minimum password length to 8 characters

There are 95 printable ASCII characters which with a minimum length
of 4 gives 95^4 or 81 million possible passwords.

Increasing the minimum length to 8 increases the number of possible
passwords by a factor of about 10^7. I imagine most AUR users have
pretty good password practice so they won't be affected by this change,
but it will improve security for a subset of users.

For a given user I can generate all 4 character passwords on my laptop
in under 2 minutes in Python and therefore all 5 character passwords
in a few hours. This change makes it much harder (but still nowhere
near impossible) to brute force generate passwords.

FS#52297 
---
 conf/config.proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/config.proto b/conf/config.proto
index 96fad80..63e2458 100644
--- a/conf/config.proto
+++ b/conf/config.proto
@@ -9,7 +9,7 @@ password = aur
 [options]
 username_min_len = 3
 username_max_len = 16
-passwd_min_len = 4
+passwd_min_len = 8
 default_lang = en
 sql_debug = 0
 max_sessions_per_user = 8
-- 
2.11.0