Gentoo Archives: gentoo-user

From: Bill Longman <bill.longman@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
Date: Wed, 11 Aug 2010 23:04:06
Message-Id: 4C632000.7020800@gmail.com
In Reply to: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice by Alan McKinnon
1 On 08/11/2010 01:30 PM, Alan McKinnon wrote:
2
3 > I refuse to implement password expiration policies and have a vast array of
4 > literature to back me up when some dimwit damager gets on his expiration high
5 > horse.
6 >
7 > My users pick their own passwords - I present a list of 5 from apg and let
8 > them pick one. Accounts do expire if they go unused for 90 days, but not
9 > passwords.
10 >
11 > What put me onto this policy? I found Gartner recommending password
12 > expiration. I find the best security possible is always the opposite of what
13 > Gartner says. Discovering how the AD admins in the company go about their jobs
14 > was the convincing straw :-)
15
16 The bigger buggerboo I see is the "password complexity" [il]logic.
17 There's this vapid requirement of all these different types of
18 characters needed in one's password, yet the thing you really want to
19 enforce is adequate entropy. If my password is an entire sentence, it
20 will not be brute-forced, even if I used just ASCII A-z. There's just
21 too much key space in 4.7^32. At 10^5 attempts per second, you're likely
22 to find the answer in half a billion years. I hope your keyboard still
23 works, let alone exists....

Replies

Subject Author
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords Alan McKinnon <alan.mckinnon@×××××.com>