Re: [Savannah-users] password must contain multiple character classes...

[jidanni]

> "I" == Ineiev   writes:
I>   when they are long enough (24 bytes or longer);
Man, you guys are the BDSM of password lords...

Re: [Savannah-users] password must contain multiple character classes...

[Ineiev]

On 05/06/2013 09:48 AM, Bob Proulx wrote:

Dan (jidanni) the original poster isn't subscribed.  He didn't ask to
be CC'd so we haven't been doing so.  Would you write him and let him
know that you improved things for him?


Done.


I have no idea on how to push the commit yet; it looks like it is
not enough to be in the "administration" group to do that.


Hmm...  Let me look at things for a bit.


Thank you!

Re: [Savannah-users] password must contain multiple character classes...

[Bob Proulx]

Ineiev wrote:
> I've just installed the changes on frontend.sv.gnu.org and checked
> that they work;

Thank you for doing that update.  That is great that this behavior has
been improved.

Dan (jidanni) the original poster isn't subscribed.  He didn't ask to
be CC'd so we haven't been doing so.  Would you write him and let him
know that you improved things for him?

> I have no idea on how to push the commit yet; it looks like it is
> not enough to be in the "administration" group to do that.

Hmm...  Let me look at things for a bit.

Bob

Re: [Savannah-users] password must contain multiple character classes...

[Ineiev]

On 05/03/2013 09:49 PM, Bob Proulx wrote:

Over time there have been many committers.  Notably Sylvain has the
majority for a long time.  Most recently Michael has the majority of
commits.


I've just installed the changes on frontend.sv.gnu.org and checked
that they work; I have no idea on how to push the commit yet; it looks
like it is not enough to be in the "administration" group to do that.

Re: [Savannah-users] password must contain multiple character classes...

[Bob Proulx]

Ineiev wrote:
> The latest committer must know, unless the effort was abandoned.

Looking at the log history I see that they were the same project until
2009 when they were forked.  Since that time there has been a long
history of merges from savane-cleanup to administration/savane.  It
appears that savane-cleanup has been treated as the master development
track and administration/savane treated as a downstream secondary with
a merge every time a new commit was made to savane-cleanup.

Over time there have been many committers.  Notably Sylvain has the
majority for a long time.  Most recently Michael has the majority of
commits.

Bob

Re: [Savannah-users] password must contain multiple character classes...

[Ineiev]

On 05/02/2013 11:10 PM, Bob Proulx wrote:
> There weren't any differences between the two repositories concerning
> the files for which you have proposed changes.  So everything you
> propose applies equally to either.  But it seems to me that the
> repository that needs your modifications is administration/savane.
> Since that is the one that is actively running the site.

I think you are right; I should have noticed that myself.

> And if savane-cleanup is a fork then the improvements really need to
> go into it too.  Does anyone know the status of that cleanup effort?

The latest committer must know, unless the effort was abandoned.

Re: [Savannah-users] password must contain multiple character classes...

[Bob Proulx]

Ineiev wrote:
> It looks like the relevant files are
> frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php
> frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php
> (the repository being GIT of
> http://savannah.gnu.org/projects/savane-cleanup).

+1.  I agree.  Those proposed changes look reasonable to me.

I am still learning the system so take this following only as an
observation from an outsider who is looking in.  While poking things
with a stick I see the following:

There seem to be several repositories associated with Savannah.
(These plus the Django Python rewrite.)

  git://git.savannah.nongnu.org/savane-cleanup
  git://git.sv.gnu.org/administration/savane

Note that "sv" is an alias for "savannah" and so any combination
difference with git.sv.gnu.org versus git.savannah.gnu.org isn't a
real difference.  But that still leaves the two repositories
savane-cleanup and administration/savane.

As far as I can see from looking the live copy is using the
administration/savane (git://git.sv.gnu.org/administration/savane)
repository.

I checked the 'git status' of the live instance and there are a small
handful of untracked files there, mostly manual backups and copies.
All of the tracked files are current and in sync.  No pending
differences.  Good!

I diff'd administration/savane and savane-cleanup and they are very
similar but not identical.  Here is the diffstat from savane to
savane-cleanup (meaning that some changes might be reversed and/or
forked).  It's a small number of files.

 AUTHORS |5 ---
 backend/Makefile.am |1 
 backend/accounts/sv_get_authorized_keys.in  |3 +-
 frontend/php/account/lostpw.php |2 -
 frontend/php/account/register.php   |4 +-
 frontend/php/css/Savannah.css   |   41 +++-
 frontend/php/include/pagemenu.php   |   18 +++-
 frontend/php/include/project_home.php   |4 +-
 frontend/php/include/session.php|2 +
 frontend/php/include/trackers/format.php|4 +-
 frontend/php/include/trackers_run/index.php |   38 +
 frontend/php/people/viewjob.php |   10 --
 12 files changed, 108 insertions(+), 24 deletions(-)

There weren't any differences between the two repositories concerning
the files for which you have proposed changes.  So everything you
propose applies equally to either.  But it seems to me that the
repository that needs your modifications is administration/savane.
Since that is the one that is actively running the site.

And if savane-cleanup is a fork then the improvements really need to
go into it too.  Does anyone know the status of that cleanup effort?

Bob

Re: [Savannah-users] password must contain multiple character classes...

[Karl Berry]

frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php
(the repository being GIT of
http://savannah.gnu.org/projects/savane-cleanup).

Thanks very much, Ineiev.

I fully agree with your proposed changes.  If there are no objections
from others within a few days, please go ahead and install them.

We can surely consider other changes in the future, but these at least
seem like no-brainers to me.

karl

Re: [Savannah-users] password must contain multiple character classes...

[Ineiev]

Hello,

It looks like the relevant files are
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php
(the repository being GIT of
http://savannah.gnu.org/projects/savane-cleanup).

Currently it uses default pwqcheck options to check the passwords
(max=40, min=disabled,24,11,8,7), which means that the message
in account.php (account_password_help) ("not too short,
must contain multiple character classes...") is not exact: it may
contain two character classes if its length is 24 or more;
I think this uncertainty could be adderessed if the help message
is modified like "long enough or containing multiple character
classes &c", with exact pwqcheck options displayed.

Now, I can see two specific suggestions about the checks in this
thread (a patch is attached):

(0) Allow single-class passwords if they are long enough.

NIST Electronic Authentification Gudeline [0] suggests that
22 characters long user-chosen password composed from 10-character
alphabet has the same entropy as 7 characters long user-chosen
extensively checked password, so it must be safe to replace
"disabled" with "24".

(1) Allow longer passwords.

I think 256 bytes should be sufficient: even if 3-byte UTF-8
characters are used, it would be about 90 symbols, and it is hard
to expect that longer passwords may be useful.

[0] http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf
(Table A.1 on page 107)
diff --git a/frontend/php/include/account.php b/frontend/php/include/account.php
index f81635f..e757500 100644
--- a/frontend/php/include/account.php
+++ b/frontend/php/include/account.php
@@ -24,11 +24,13 @@
 require_once(dirname(__FILE__).'/pwqcheck.php');
 
 function account_password_help() {
-  global $use_pwqcheck;
-  $help = _("(not too short, must contain multiple character classes: symbols, 
digits (0-9), upper and lower case letters)");
+  global $use_pwqcheck, $pwqcheck_args;
+  $help = _("(long enough or containing multiple character classes: symbols, 
digits (0-9), upper and lower case letters)");
   if ($use_pwqcheck) {
 $pwqgen = exec("pwqgen");
-$help .= " ".sprintf(_("(for instance: %s)"), htmlspecialchars($pwqgen));
+$help .= " ".sprintf(_("(for instance: %s)."), htmlspecialchars($pwqgen));
+$help .= " ".sprintf(_("pwqcheck options are: '%s'"),
+ htmlspecialchars($pwqcheck_args));
   }
   return $help;
 }
diff --git a/frontend/php/include/init.php b/frontend/php/include/init.php
index 7b17312..3e7ab80 100644
--- a/frontend/php/include/init.php
+++ b/frontend/php/include/init.php
@@ -88,9 +88,17 @@ $sys_debug_sqlprofiler = false;
 // Do we have the pwqcheck(1) program from the passwdqc package?
 $use_pwqcheck = TRUE;
 // We can override the default password policy
-$pwqcheck_args = '';
-#$pwqcheck_args = 'config=/etc/passwdqc.conf';
-
+// max=40 is overridden because some users want longer passwords.
+// min=default,24,11,8,7 is overridden for N0 passwords
+// (the passwords consisting of characters from single class)
+// because NIST Electronic Authentification Gudeline
+// (Special Publication 800-63-1, Table A.1 on page 107
+//  http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf)
+// suggests that user-chosen 7 characters long password passing extensive
+// checks has 27 bits of entropy, the same as 22 characters long
+// user-chosen password composed from 10-character alphabet with no checks
+// implied, so we can safely admit any 24 characters long passwords.
+$pwqcheck_args = 'max=256 min=24,24,11,8,7';
 
 # autoconf-based:
 require_once(dirname(__FILE__).'/ac_config.php');

Re: [Savannah-users] password must contain multiple character classes...

[Jordi Gutiérrez Hermoso]

On 22 April 2013 10:50, Ineiev  wrote:
> On 04/05/2013 09:49 PM, Karl Berry wrote:
>>
>> We are all agreed that the current savannah password requirement is
>> suboptimal, so there's no point in continuing to argue about it, there's
>> no one left to convince.  What's needed, as always with savannah, is a
>> person to volunteer to figure out how to actually change it and do the
>> work.
>
>
> What about allowing longer passwords (e.g. up to 127 characters;
> more wouldn't probably be practically useful)?

Sure. Would you like to do it on the current PHP base or the Python rewrite?

- Jordi G. H.

Re: [Savannah-users] password must contain multiple character classes...

[Ineiev]

On 04/05/2013 09:49 PM, Karl Berry wrote:

We are all agreed that the current savannah password requirement is
suboptimal, so there's no point in continuing to argue about it, there's
no one left to convince.  What's needed, as always with savannah, is a
person to volunteer to figure out how to actually change it and do the
work.


What about allowing longer passwords (e.g. up to 127 characters;
more wouldn't probably be practically useful)?

Re: [Savannah-users] password must contain multiple character classes...

[Jordi Gutiérrez Hermoso]

Guys, we know the Savannah passwords are dumb.

But unless someone hacks Savannah, they'll remain dumb.

- Jordi G. H.

Re: [Savannah-users] password must contain multiple character classes...

[Karl Berry]

We are all agreed that the current savannah password requirement is
suboptimal, so there's no point in continuing to argue about it, there's
no one left to convince.  What's needed, as always with savannah, is a
person to volunteer to figure out how to actually change it and do the
work.

karl

Re: [Savannah-users] password must contain multiple character classes...

[Bob Proulx]

Kaz Kylheku wrote:
> Miles Bader wrote:
> > k...@freefriends.org (Karl Berry) writes:
> >> How is your password "much" better?  Using non-alphanumeric
> >> characters?  I thought they were allowed even though the message
> >> doesn't mention them.

The whole concept of a favorite password bothered me.  Because it
means that passwords are being reused.  Reusing passwords is bad.

> > I think there's a pretty general consensus by now that this sort of
> > requirement ("must contain a digit and a punctuation symbol" or
> > whatever) does more harm than good.  Most certainly it's annoying...
> 
> It's completely retarded. It only induces people to choose weak
> passwords.
> Must contain a capital? Okay, capitalize the dictionary word.
> Must contain a digit? Okay, stick a one on it, or replace an o with 0.
> 
> There should be a choice: numbers and glyphs, or make it longer.
> I'd rather type a password phrase with multiple words and spaces.

I just use completely random passwords these days.  No "favorite"
passwords for me.  I have far too many accounts to remember each one.
Therefore I do write them down and simply cut and paste them.

  Why passwords have never been weaker—and crackers have never been stronger
  http://arstechnica.com/security/2012/08/passwords-under-assault/

  From the article:
  "The average Web user maintains 25 separate accounts but uses just
  6.5 passwords to protect them..."

And of course XKCD also addresses this too:

  Password Reuse
  http://xkcd.com/792/

Bob

Re: [Savannah-users] password must contain multiple character classes...

[Kaz Kylheku]

On Fri, 05 Apr 2013 11:46:32 +0900, Miles Bader  wrote:
> k...@freefriends.org (Karl Berry) writes:
>> How is your password "much" better?  Using non-alphanumeric
>> characters?  I thought they were allowed even though the message
>> doesn't mention them.
> 
> I think there's a pretty general consensus by now that this sort of
> requirement ("must contain a digit and a punctuation symbol" or
> whatever) does more harm than good.  Most certainly it's annoying...

It's completely retarded. It only induces people to choose weak
passwords.
Must contain a capital? Okay, capitalize the dictionary word.
Must contain a digit? Okay, stick a one on it, or replace an o with 0.

There should be a choice: numbers and glyphs, or make it longer.
I'd rather type a password phrase with multiple words and spaces.

Re: [Savannah-users] password must contain multiple character classes...

[Miles Bader]

k...@freefriends.org (Karl Berry) writes:
> How is your password "much" better?  Using non-alphanumeric
> characters?  I thought they were allowed even though the message
> doesn't mention them.

I think there's a pretty general consensus by now that this sort of
requirement ("must contain a digit and a punctuation symbol" or
whatever) does more harm than good.  Most certainly it's annoying...

http://xkcd.com/936/

-miles

-- 
We are all lying in the gutter, but some of us are looking at the stars.
-Oscar Wilde

Re: [Savannah-users] password must contain multiple character classes...

[jidanni]

> "KB" == Karl Berry  writes:
KB> How is your password "much" better?  Using non-alphanumeric characters?
KB> I thought they were allowed even though the message doesn't mention
KB> them.

Not it doesn't. But me and those big websites think it is great. Anyway,
just keep the lost password page open -- I'll be back!

Re: [Savannah-users] password must contain multiple character classes...

[Karl Berry]

password must contain multiple character classes...

I think there is general agreement that the current password requirement
is not ideal.  Savannah needs additional volunteers who can help with
back-end administration and hack on things like this.  Until that
happens, it's not likely anything about this will change.

my much better password, but have to conform to some expert person's
concept of what is a good password.

How is your password "much" better?  Using non-alphanumeric characters?
I thought they were allowed even though the message doesn't mention
them.

Best,
k