savannah-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] password must be more complicated


From: Bob Proulx
Subject: Re: [Savannah-users] password must be more complicated
Date: Tue, 7 May 2013 15:28:58 -0600
User-agent: Mutt/1.5.21 (2010-09-15)

Ineiev wrote:
> pwgen -1 -s 8 10000|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done 
> |grep ^OK|wc -l
> 
> 8698

Because traditional passwords were often eight characters we still
often pick passwords that are eight characters long.  So 87% of random
passwords will be accepted.  13% will not!  That still seems to be a
fairly high rejection rate to me.

> pwgen -1 -s 9 10000|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done 
> |grep ^OK|wc -l
> 
> 9334

By pushing one more character to nine we are down to a 7% rejection
rate.  That still isn't great.  But it is significantly better than
the 13% of eight characters.

And that is just randomly generated.  People thinking up characters
will not produce random enough output.  Some people will always think
up ones in the accepted set.  Some people will always think up ones in
the rejected set.  Because people are poor entropy generators.

> Of course, an independent generator will produce some passwords
> that don't pass pwqcheck criteria, but IMHO the results
> are reasonable (provided the goal is to eliminate weak passwords
> rather than to accept all pwgen-generated ones).

I had two goals with my message.  One is that I think the rejection
rate (which you so nicely determined experimentally as 13%, thank you)
is quite high, too high, using pwqcheck, and I would like to reduce it.

Two is that pwqcheck is just one way of checking the plain text of a
password.  I can only believe that there has been a lot of energy
expended looking at this task in projects world wide and that there
may be a better way of ensuring strong passwords.  I have looked at
the problem previously but don't have a great answer.  People tend to
create poor passwords and if you try to educate them to produce better
onces then they become frustrated that it is too much work.

I put the question out there hoping that someone would already know a
nice way to do this and then we might incorporate it into the Savannah
site.  Nothing ventured then nothing gained.

Bob



reply via email to

[Prev in Thread] Current Thread [Next in Thread]