Re: [Savannah-users] password must contain multiple character classes...
> "I" == Ineiev writes: I> when they are long enough (24 bytes or longer); Man, you guys are the BDSM of password lords...
Re: [Savannah-users] password must contain multiple character classes...
On 05/06/2013 09:48 AM, Bob Proulx wrote: Dan (jidanni) the original poster isn't subscribed. He didn't ask to be CC'd so we haven't been doing so. Would you write him and let him know that you improved things for him? Done. I have no idea on how to push the commit yet; it looks like it is not enough to be in the "administration" group to do that. Hmm... Let me look at things for a bit. Thank you!
Re: [Savannah-users] password must contain multiple character classes...
Ineiev wrote: > I've just installed the changes on frontend.sv.gnu.org and checked > that they work; Thank you for doing that update. That is great that this behavior has been improved. Dan (jidanni) the original poster isn't subscribed. He didn't ask to be CC'd so we haven't been doing so. Would you write him and let him know that you improved things for him? > I have no idea on how to push the commit yet; it looks like it is > not enough to be in the "administration" group to do that. Hmm... Let me look at things for a bit. Bob
Re: [Savannah-users] password must contain multiple character classes...
On 05/03/2013 09:49 PM, Bob Proulx wrote: Over time there have been many committers. Notably Sylvain has the majority for a long time. Most recently Michael has the majority of commits. I've just installed the changes on frontend.sv.gnu.org and checked that they work; I have no idea on how to push the commit yet; it looks like it is not enough to be in the "administration" group to do that.
Re: [Savannah-users] password must contain multiple character classes...
Ineiev wrote: > The latest committer must know, unless the effort was abandoned. Looking at the log history I see that they were the same project until 2009 when they were forked. Since that time there has been a long history of merges from savane-cleanup to administration/savane. It appears that savane-cleanup has been treated as the master development track and administration/savane treated as a downstream secondary with a merge every time a new commit was made to savane-cleanup. Over time there have been many committers. Notably Sylvain has the majority for a long time. Most recently Michael has the majority of commits. Bob
Re: [Savannah-users] password must contain multiple character classes...
On 05/02/2013 11:10 PM, Bob Proulx wrote: > There weren't any differences between the two repositories concerning > the files for which you have proposed changes. So everything you > propose applies equally to either. But it seems to me that the > repository that needs your modifications is administration/savane. > Since that is the one that is actively running the site. I think you are right; I should have noticed that myself. > And if savane-cleanup is a fork then the improvements really need to > go into it too. Does anyone know the status of that cleanup effort? The latest committer must know, unless the effort was abandoned.
Re: [Savannah-users] password must contain multiple character classes...
Ineiev wrote: > It looks like the relevant files are > frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php > frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php > (the repository being GIT of > http://savannah.gnu.org/projects/savane-cleanup). +1. I agree. Those proposed changes look reasonable to me. I am still learning the system so take this following only as an observation from an outsider who is looking in. While poking things with a stick I see the following: There seem to be several repositories associated with Savannah. (These plus the Django Python rewrite.) git://git.savannah.nongnu.org/savane-cleanup git://git.sv.gnu.org/administration/savane Note that "sv" is an alias for "savannah" and so any combination difference with git.sv.gnu.org versus git.savannah.gnu.org isn't a real difference. But that still leaves the two repositories savane-cleanup and administration/savane. As far as I can see from looking the live copy is using the administration/savane (git://git.sv.gnu.org/administration/savane) repository. I checked the 'git status' of the live instance and there are a small handful of untracked files there, mostly manual backups and copies. All of the tracked files are current and in sync. No pending differences. Good! I diff'd administration/savane and savane-cleanup and they are very similar but not identical. Here is the diffstat from savane to savane-cleanup (meaning that some changes might be reversed and/or forked). It's a small number of files. AUTHORS |5 --- backend/Makefile.am |1 backend/accounts/sv_get_authorized_keys.in |3 +- frontend/php/account/lostpw.php |2 - frontend/php/account/register.php |4 +- frontend/php/css/Savannah.css | 41 +++- frontend/php/include/pagemenu.php | 18 +++- frontend/php/include/project_home.php |4 +- frontend/php/include/session.php|2 + frontend/php/include/trackers/format.php|4 +- frontend/php/include/trackers_run/index.php | 38 + frontend/php/people/viewjob.php | 10 -- 12 files changed, 108 insertions(+), 24 deletions(-) There weren't any differences between the two repositories concerning the files for which you have proposed changes. So everything you propose applies equally to either. But it seems to me that the repository that needs your modifications is administration/savane. Since that is the one that is actively running the site. And if savane-cleanup is a fork then the improvements really need to go into it too. Does anyone know the status of that cleanup effort? Bob
Re: [Savannah-users] password must contain multiple character classes...
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php (the repository being GIT of http://savannah.gnu.org/projects/savane-cleanup). Thanks very much, Ineiev. I fully agree with your proposed changes. If there are no objections from others within a few days, please go ahead and install them. We can surely consider other changes in the future, but these at least seem like no-brainers to me. karl
Re: [Savannah-users] password must contain multiple character classes...
Hello, It looks like the relevant files are frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php (the repository being GIT of http://savannah.gnu.org/projects/savane-cleanup). Currently it uses default pwqcheck options to check the passwords (max=40, min=disabled,24,11,8,7), which means that the message in account.php (account_password_help) ("not too short, must contain multiple character classes...") is not exact: it may contain two character classes if its length is 24 or more; I think this uncertainty could be adderessed if the help message is modified like "long enough or containing multiple character classes &c", with exact pwqcheck options displayed. Now, I can see two specific suggestions about the checks in this thread (a patch is attached): (0) Allow single-class passwords if they are long enough. NIST Electronic Authentification Gudeline [0] suggests that 22 characters long user-chosen password composed from 10-character alphabet has the same entropy as 7 characters long user-chosen extensively checked password, so it must be safe to replace "disabled" with "24". (1) Allow longer passwords. I think 256 bytes should be sufficient: even if 3-byte UTF-8 characters are used, it would be about 90 symbols, and it is hard to expect that longer passwords may be useful. [0] http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf (Table A.1 on page 107) diff --git a/frontend/php/include/account.php b/frontend/php/include/account.php index f81635f..e757500 100644 --- a/frontend/php/include/account.php +++ b/frontend/php/include/account.php @@ -24,11 +24,13 @@ require_once(dirname(__FILE__).'/pwqcheck.php'); function account_password_help() { - global $use_pwqcheck; - $help = _("(not too short, must contain multiple character classes: symbols, digits (0-9), upper and lower case letters)"); + global $use_pwqcheck, $pwqcheck_args; + $help = _("(long enough or containing multiple character classes: symbols, digits (0-9), upper and lower case letters)"); if ($use_pwqcheck) { $pwqgen = exec("pwqgen"); -$help .= " ".sprintf(_("(for instance: %s)"), htmlspecialchars($pwqgen)); +$help .= " ".sprintf(_("(for instance: %s)."), htmlspecialchars($pwqgen)); +$help .= " ".sprintf(_("pwqcheck options are: '%s'"), + htmlspecialchars($pwqcheck_args)); } return $help; } diff --git a/frontend/php/include/init.php b/frontend/php/include/init.php index 7b17312..3e7ab80 100644 --- a/frontend/php/include/init.php +++ b/frontend/php/include/init.php @@ -88,9 +88,17 @@ $sys_debug_sqlprofiler = false; // Do we have the pwqcheck(1) program from the passwdqc package? $use_pwqcheck = TRUE; // We can override the default password policy -$pwqcheck_args = ''; -#$pwqcheck_args = 'config=/etc/passwdqc.conf'; - +// max=40 is overridden because some users want longer passwords. +// min=default,24,11,8,7 is overridden for N0 passwords +// (the passwords consisting of characters from single class) +// because NIST Electronic Authentification Gudeline +// (Special Publication 800-63-1, Table A.1 on page 107 +// http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf) +// suggests that user-chosen 7 characters long password passing extensive +// checks has 27 bits of entropy, the same as 22 characters long +// user-chosen password composed from 10-character alphabet with no checks +// implied, so we can safely admit any 24 characters long passwords. +$pwqcheck_args = 'max=256 min=24,24,11,8,7'; # autoconf-based: require_once(dirname(__FILE__).'/ac_config.php');
Re: [Savannah-users] password must contain multiple character classes...
On 22 April 2013 10:50, Ineiev wrote: > On 04/05/2013 09:49 PM, Karl Berry wrote: >> >> We are all agreed that the current savannah password requirement is >> suboptimal, so there's no point in continuing to argue about it, there's >> no one left to convince. What's needed, as always with savannah, is a >> person to volunteer to figure out how to actually change it and do the >> work. > > > What about allowing longer passwords (e.g. up to 127 characters; > more wouldn't probably be practically useful)? Sure. Would you like to do it on the current PHP base or the Python rewrite? - Jordi G. H.
Re: [Savannah-users] password must contain multiple character classes...
On 04/05/2013 09:49 PM, Karl Berry wrote: We are all agreed that the current savannah password requirement is suboptimal, so there's no point in continuing to argue about it, there's no one left to convince. What's needed, as always with savannah, is a person to volunteer to figure out how to actually change it and do the work. What about allowing longer passwords (e.g. up to 127 characters; more wouldn't probably be practically useful)?
Re: [Savannah-users] password must contain multiple character classes...
Guys, we know the Savannah passwords are dumb. But unless someone hacks Savannah, they'll remain dumb. - Jordi G. H.
Re: [Savannah-users] password must contain multiple character classes...
We are all agreed that the current savannah password requirement is suboptimal, so there's no point in continuing to argue about it, there's no one left to convince. What's needed, as always with savannah, is a person to volunteer to figure out how to actually change it and do the work. karl
Re: [Savannah-users] password must contain multiple character classes...
Kaz Kylheku wrote: > Miles Bader wrote: > > k...@freefriends.org (Karl Berry) writes: > >> How is your password "much" better? Using non-alphanumeric > >> characters? I thought they were allowed even though the message > >> doesn't mention them. The whole concept of a favorite password bothered me. Because it means that passwords are being reused. Reusing passwords is bad. > > I think there's a pretty general consensus by now that this sort of > > requirement ("must contain a digit and a punctuation symbol" or > > whatever) does more harm than good. Most certainly it's annoying... > > It's completely retarded. It only induces people to choose weak > passwords. > Must contain a capital? Okay, capitalize the dictionary word. > Must contain a digit? Okay, stick a one on it, or replace an o with 0. > > There should be a choice: numbers and glyphs, or make it longer. > I'd rather type a password phrase with multiple words and spaces. I just use completely random passwords these days. No "favorite" passwords for me. I have far too many accounts to remember each one. Therefore I do write them down and simply cut and paste them. Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ From the article: "The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them..." And of course XKCD also addresses this too: Password Reuse http://xkcd.com/792/ Bob
Re: [Savannah-users] password must contain multiple character classes...
On Fri, 05 Apr 2013 11:46:32 +0900, Miles Bader wrote: > k...@freefriends.org (Karl Berry) writes: >> How is your password "much" better? Using non-alphanumeric >> characters? I thought they were allowed even though the message >> doesn't mention them. > > I think there's a pretty general consensus by now that this sort of > requirement ("must contain a digit and a punctuation symbol" or > whatever) does more harm than good. Most certainly it's annoying... It's completely retarded. It only induces people to choose weak passwords. Must contain a capital? Okay, capitalize the dictionary word. Must contain a digit? Okay, stick a one on it, or replace an o with 0. There should be a choice: numbers and glyphs, or make it longer. I'd rather type a password phrase with multiple words and spaces.
Re: [Savannah-users] password must contain multiple character classes...
k...@freefriends.org (Karl Berry) writes: > How is your password "much" better? Using non-alphanumeric > characters? I thought they were allowed even though the message > doesn't mention them. I think there's a pretty general consensus by now that this sort of requirement ("must contain a digit and a punctuation symbol" or whatever) does more harm than good. Most certainly it's annoying... http://xkcd.com/936/ -miles -- We are all lying in the gutter, but some of us are looking at the stars. -Oscar Wilde
Re: [Savannah-users] password must contain multiple character classes...
> "KB" == Karl Berry writes: KB> How is your password "much" better? Using non-alphanumeric characters? KB> I thought they were allowed even though the message doesn't mention KB> them. Not it doesn't. But me and those big websites think it is great. Anyway, just keep the lost password page open -- I'll be back!
Re: [Savannah-users] password must contain multiple character classes...
password must contain multiple character classes... I think there is general agreement that the current password requirement is not ideal. Savannah needs additional volunteers who can help with back-end administration and hack on things like this. Until that happens, it's not likely anything about this will change. my much better password, but have to conform to some expert person's concept of what is a good password. How is your password "much" better? Using non-alphanumeric characters? I thought they were allowed even though the message doesn't mention them. Best, k