[Savannah-users] password must be more complicated
Hi Bruce, Bruce Korb wrote: > Now that passwords are a teeny tad more of a nuisance, The change posted should make them easier to use not harder to use. Let me explain and then perhaps you can describe your problems. Because I also see problems and am about to propose an additional change. We went from this to that: pwqcheck option changes - min=disabled,24,11,8,7 + min=24,24,11,8,7 - max=40 + max=256 Where: min=N0,N1,N2,N3,N4 (default: min=disabled,24,11,8,7) The minimum allowed password lengths for different kinds of passwords/passphrases. The keyword disabled can be used to disallow passwords of a given kind regardless of their length. Each subsequent number is required to be no larger than the preceding one. N0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters, which could not be classified, but are assumed to be non-digits. The previous was "disabled" so no amount of single class (lower case for example) characters would be enough. But now you could type in 24 of them and it would be "good enough". Previously this was disabled. N1 is used for passwords consisting of characters from two character classes that do not meet the requirements for a passphrase. No change. Still 24 characters. N2 is used for passphrases. Note that besides meeting this length requirement, a passphrase must also consist of a sufficient number of words (see the passphrase option below). No change. Still 11 characters. N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively. No change. Still 8,7 characters. max=N (default: max=40) The maximum allowed password length. This can be used to prevent users from setting passwords that may be too long for some system services. The value 8 is treated specially: if max is set to 8, passwords longer than 8 characters will not be rejected, but will be truncated to 8 characters for the strength checks and the user will be warned. This is to be used with the traditional DES-based password hashes, which truncate the password at 8 characters. Increased the allowed length from 40 to 256. So previously passwords that were all lower case, one character class, were disabled. The change makes them valid if there are enough of them. Ineiev posted that suggestion and implemented it. (Thanks Ineiev!) Seemed reasonable to me. I think that could only be an improvement. Do you agree? But playing around with things I find some crazy behavior. Check this out. I ran pwgen to create random passwords. I tried some. The first several I tried failed. Others did work. $ echo ohtaOe0h | pwqcheck -1 max=256 min=disabled,24,11,8,7 Bad passphrase (based on a dictionary word and not a passphrase) $ echo uChiel9m | pwqcheck -1 max=256 min=disabled,24,11,8,7 Bad passphrase (based on a dictionary word and not a passphrase) $ echo Iephoo3i | pwqcheck -1 max=256 min=24,24,11,8,7 Bad passphrase (not enough different characters or classes for this length) $ echo ox8iChae | pwqcheck -1 max=256 min=24,24,11,8,7 OK Those were completely randomly generated and yet they fail the checker? That doesn't seem reasonable. Part of the problem seems to be the match check. match=N (default: match=4) The length of common substring required to conclude that a password is at least partially based on information found in a character string, or 0 to disable the substring search. Note that the password will not be rejected once a weak substring is found; it will instead be subjected to the usual strength requirements with the weak substring partially discounted. Setting match=0 seems to help with the "dictionary" issue. $ echo ohtaOe0h | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7 OK $ echo uChiel9m | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7 OK But not all of the problems. $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,24,11,8,7 Bad passphrase (not enough different characters or classes for this length) That has three character classes, lower, upper, digits, and so should need N3=8 characters. It is 8 characters long and so should meet the requirements. But it doesn't. By experimentation it is N1 which is the controlling variable in the above. But I can't reconcile that against ox8iChae being okay. There is no differe
Re: [Savannah-users] password must be more complicated
On 05/07/2013 11:48 AM, Bob Proulx wrote: But playing around with things I find some crazy behavior. Check this out. I ran pwgen to create random passwords. I tried some. The first several I tried failed. Others did work. $ echo ohtaOe0h | pwqcheck -1 max=256 min=disabled,24,11,8,7 Bad passphrase (based on a dictionary word and not a passphrase) $ echo uChiel9m | pwqcheck -1 max=256 min=disabled,24,11,8,7 Bad passphrase (based on a dictionary word and not a passphrase) $ echo Iephoo3i | pwqcheck -1 max=256 min=24,24,11,8,7 Bad passphrase (not enough different characters or classes for this length) $ echo ox8iChae | pwqcheck -1 max=256 min=24,24,11,8,7 OK pwgen -1 -s 8 1|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done |grep ^OK|wc -l 8698 pwgen -1 -s 9 1|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done |grep ^OK|wc -l 9334 Of course, an independent generator will produce some passwords that don't pass pwqcheck criteria, but IMHO the results are reasonable (provided the goal is to eliminate weak passwords rather than to accept all pwgen-generated ones).
Re: [Savannah-users] password must be more complicated
Hi Bob, On Tue, May 7, 2013 at 1:48 AM, Bob Proulx wrote: > Setting match=0 seems to help with the "dictionary" issue. > > $ echo ohtaOe0h | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7 > OK > > $ echo uChiel9m | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7 > OK > [...] > > Does anyone see why the results are so crazy using pwqcheck? Is this > problem causing users grief? Or a different problem? I can confirm that the previous settings in Savannah (haven't checked now) would not allow a few completely random passwords because they were apparently based on dictionary words. It was immensely frustrating (as a user) to be first told that none of my common passwords pass, then turn to a password generator and be told that a password looking like "ohtaOe0huChiel9m" is based on a dictionary word. I think it took me 3 tries to generate something that would be acceptable (longer passwords are more likely to have a 4-character sub-string that is apparently based on a dictionary word). Jan
[Savannah-users] How to add files?
I figured out how to do everything else, but I don't see how to add files to my project's directory in download.savannah.gnu.org/releases/. I don't see anything about this in the "Site Help" links. What did I miss?
[Savannah-users] How do you add files?
Looks like it didn't go through when I sent it yesterday, maybe I sent it too soon... sorry if it ends up a double-post. I figured out how to do everything else, but I don't see how to add files to my project's directory in download.savannah.gnu.org/releases/. I don't see anything about this in the "Site Help" links. What did I miss?
Re: [Savannah-users] How to add files?
Hey Julian, > I figured out how to do everything else, but I don't see how to add > files to my project's directory in > download.savannah.gnu.org/releases/. I don't see anything about this > in the "Site Help" links. What did I miss? Check this out: http://savannah.gnu.org/maintenance/DownloadArea Hope that helps. -- rsiddharth http://rsiddharth.ninth.su signature.asc Description: Digital signature
Re: [Savannah-users] How do you add files?
Hi! http://savannah.gnu.org/maintenance/DownloadArea Regards, Tomasz > Date: Tue, 7 May 2013 09:34:25 -0400 > From: onp...@riseup.net > To: savannah-users@gnu.org > Subject: [Savannah-users] How do you add files? > > Looks like it didn't go through when I sent it yesterday, maybe I sent > it too soon... sorry if it ends up a double-post. > > I figured out how to do everything else, but I don't see how to add > files to my project's directory in download.savannah.gnu.org/releases/. > I don't see anything about this in the "Site Help" links. What did I miss? >
Re: [Savannah-users] password must be more complicated
On Tue, May 7, 2013 at 1:47 PM, Luiji Maryo wrote:
> Behold my ultimate password generator in Python:
>
> import random, string
> p = ""
> for i in range(0, 20): p += random.choice(string.printable)
> print p # print(p) in python 3
>
> That works like a charm on virtually everything I've ever wanted a secure
> password on, including Savannah.
We're digressing a bit here, but I don't believe you actually tried
the above more than a few times. Just because a character is printable
doesn't mean you can find it on a keyboard.
>>> string.printable
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~
\t\n\r\x0b\x0c'
Good luck with a password consisting of a vertical tab, form-feed and
carriage return :-).
Jan
P.S. The dollar symbol isn't on all keyboards, so I'd also remove it
from the list of acceptable characters.
Re: [Savannah-users] How to add files?
On 05/07/2013 12:16 PM, rsiddharth wrote: Hey Julian, I figured out how to do everything else, but I don't see how to add files to my project's directory in download.savannah.gnu.org/releases/. I don't see anything about this in the "Site Help" links. What did I miss? Check this out: http://savannah.gnu.org/maintenance/DownloadArea Hope that helps. Thanks, to both who answered. :)
Re: [Savannah-users] password must be more complicated
Ineiev wrote: > pwgen -1 -s 8 1|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done > |grep ^OK|wc -l > > 8698 Because traditional passwords were often eight characters we still often pick passwords that are eight characters long. So 87% of random passwords will be accepted. 13% will not! That still seems to be a fairly high rejection rate to me. > pwgen -1 -s 9 1|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done > |grep ^OK|wc -l > > 9334 By pushing one more character to nine we are down to a 7% rejection rate. That still isn't great. But it is significantly better than the 13% of eight characters. And that is just randomly generated. People thinking up characters will not produce random enough output. Some people will always think up ones in the accepted set. Some people will always think up ones in the rejected set. Because people are poor entropy generators. > Of course, an independent generator will produce some passwords > that don't pass pwqcheck criteria, but IMHO the results > are reasonable (provided the goal is to eliminate weak passwords > rather than to accept all pwgen-generated ones). I had two goals with my message. One is that I think the rejection rate (which you so nicely determined experimentally as 13%, thank you) is quite high, too high, using pwqcheck, and I would like to reduce it. Two is that pwqcheck is just one way of checking the plain text of a password. I can only believe that there has been a lot of energy expended looking at this task in projects world wide and that there may be a better way of ensuring strong passwords. I have looked at the problem previously but don't have a great answer. People tend to create poor passwords and if you try to educate them to produce better onces then they become frustrated that it is too much work. I put the question out there hoping that someone would already know a nice way to do this and then we might incorporate it into the Savannah site. Nothing ventured then nothing gained. Bob
Re: [Savannah-users] password must be more complicated
Hi Jan, Jan Owoc wrote: > I can confirm that the previous settings in Savannah (haven't > checked now) would not allow a few completely random passwords > because they were apparently based on dictionary words. The recent change should allow people to use paraphrases. Before those would have been capped at 40 characters which may have been too short for a passphrase. Should work now. Everything else is pretty much the same. Meaning that it is still trouble with some random passwords. > It was immensely frustrating (as a user) to be first told that none > of my common passwords pass, Whenever I hear "common passwords" I always cringe. Please read: Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ From the article: "The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them..." I never reuse passwords. Every site is unique. I am not an average user as I have hundreds of accounts. I accomplish this by keeping a file of account information. But any method such as "password wallet" programs or whatever would be okay too. There are many ways to accomplish the goal. > then turn to a password generator and be told that a password > looking like "ohtaOe0huChiel9m" is based on a dictionary word. Yes. That is exactly the reaction I had as well. One of the problems is that password checkers usually look at the plain text of the password. But crackers either try and try again using heuristics and dictionaries, or they have access to the hashed password and crack it with rainbow tables and other parallel attacks. Having access to the plain text encourages shortcuts that are not available to the cracker. It makes for many false positives. In summary just because "dog" is in the dictionary doesn't make "2ZJUptQJ5dog7wwq3OMrNd14bxAJ1" insecure because it contains it. > I think it took me 3 tries to generate something that would be > acceptable (longer passwords are more likely to have a 4-character > sub-string that is apparently based on a dictionary word). Yes. But longer passwords with pwqcheck are also more likely to be longer than the minimum lengths configured due to having more character classes. Currently 24 characters long is the magic length to be guaranteed to pass the check. If generating random passwords then knowing this and generating 24 random characters would be just as easy for the human as 17 or 8 as long as they are not typing them in. Bob
Re: [Savannah-users] password must be more complicated
$ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,24,11,8,7 Bad passphrase (not enough different characters or classes for this length) That has three character classes, lower, upper, digits, and so should need N3=8 characters. It is 8 characters long and so should meet the requirements. But it doesn't. It is 8 characters long but not 8 *unique* characters -- o is repeated, there are no repeated chars in ox8iChae. Could that be the reason? Just a wild guess. (I think it is absurd that this password is rejected, BTW.) $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,8,8,8,8 OK Does anyone see why the results are so crazy using pwqcheck? Is this problem causing users grief? It is one of the problems, for sure. Users put together 3 different classes in their 8 chars (already a big pain), it fails, and since the feedback as to why it fails is not specific, they just iterate randomly and find one that works. Very frustrating. I've been frustrated by it myself. Is there a way to get pwqcheck to report more specifically why a pw is bad? Taking a completely different approach... Does anyone have a good method of checking and ensuring password strength? The goal isn't to use pwqcheck but to try to avoid the too-weak password problem. At one site I administered, I had a pwchange script which would try to crack the proposed password for a few seconds. (And for longer overnight.) That caught a lot of things -- the things which crackers would be most likely to find -- without being much of a hassle. (I forget the crack script I used, it was whatever was commonly/publicly available at the time.) Clearly this would not replace the kinds of checks that are being done now, though. Nevertheless, I think our pw requirements are too strong. In the sense that sv makes requirements that no one else does. Furthermore, getting in to some sv user's web account is really not very interesting to crackers -- the worst they could do is screw up the stuff for that user's projects. My experience is that cracks are directed at gaining shell/root access. Anyway ... can you make a proposal for the pwqcheck args to reduce the pain, Bob? I am not sure where we stand. Thanks, karl
Re: [Savannah-users] password must be more complicated
Behold my ultimate password generator in Python: import random, string p = "" for i in range(0, 20): p += random.choice(string.printable) print p # print(p) in python 3 That works like a charm on virtually everything I've ever wanted a secure password on, including Savannah. On Tue, May 7, 2013 at 10:15 AM, Jan Owoc wrote: > Hi Bob, > > On Tue, May 7, 2013 at 1:48 AM, Bob Proulx wrote: > > Setting match=0 seems to help with the "dictionary" issue. > > > > $ echo ohtaOe0h | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7 > > OK > > > > $ echo uChiel9m | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7 > > OK > > > [...] > > > > Does anyone see why the results are so crazy using pwqcheck? Is this > > problem causing users grief? Or a different problem? > > I can confirm that the previous settings in Savannah (haven't checked > now) would not allow a few completely random passwords because they > were apparently based on dictionary words. It was immensely > frustrating (as a user) to be first told that none of my common > passwords pass, then turn to a password generator and be told that a > password looking like "ohtaOe0huChiel9m" is based on a dictionary > word. I think it took me 3 tries to generate something that would be > acceptable (longer passwords are more likely to have a 4-character > sub-string that is apparently based on a dictionary word). > > Jan > > -- - Luiji Maryo mail: lu...@users.sourceforge.net blog: http://brainboyblogger.blogspot.com/ corp: http://www.entertainingsoftware.com/ fun: http://www.secretmaryo.org/
