savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] [savannah-help-public] [sr #108600] Regist


From: beuc
Subject: Re: [Savannah-hackers-public] [savannah-help-public] [sr #108600] Registration b0rked
Date: Thu, 26 Jun 2014 19:40:42 +0200
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Jun 26, 2014 at 05:28:37PM +0000, Karl Berry wrote:
>     http://savannah.gnu.org/support/?108600
>     ...
>     The password I was choosing should be plenty strong for this.
> 
> I admit I have some sympathy with the view that our password
> requirements are too stringent.  How about requiring only two classes
> for eight-char passwords instead of three?  Sure, it is weaker, but
> there's a tradeoff between pain for users (high) and likelihood of a bad
> guy ever getting the encrypted passwords (low).  Besides, if a bad guy
> does get the encrypted pws, that probably means they have root on
> savannah and our problems are a lot worse than 2-class vs. 3-class
> passwords.

Just a couple notes:

- it's meant to support easy-to-remember https://xkcd.com/936/

- last time we got a compromise (2010), the user had the encrypted
  passwords (through SQL injection), but he didn't get root.

-- 
Sylvain



reply via email to

[Prev in Thread] Current Thread [Next in Thread]