Re: Ridiculous new Red Hat Bugzilla password security requirements
Sérgio Basto wrote: > please try `pwgen -s 20 1 -cny` Good idea, though it actually accepted the 20-character alphanumeric password without symbols just fine. I believe there used to be a requirement for a symbol, but this does not seem to be a hard requirement anymore, there is a more complex strength check now. Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
Marcin Juszkiewicz wrote: > 9 characters password in 2022 is considered 'easy breakable' thanks to > power of GPUs. To "break" the password offline with a GPU, you need a hashed password to begin with. If I log in securely over HTTPS and if the server is not compromised (and neither is my computer), you do not get my password, neither hashed nor unhashed. So then you need to actually brute-force the password by logging in to the server, the GPU will not help you a bit, and you will likely get blacklisted pretty quickly. So I see this as an absolute non-issue. > Maybe start using some password manager to generate and store long > enough passwords? Well, yes, I store the password in KWallet, so it was not a major inconvenience to have to generate and store a new one. It was just an entirely unnecessary inconvenience. Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
On Fri, 2022-10-14 at 03:39 +0200, Kevin Kofler via devel wrote: > Hi, > > I have generated a new 20-character random password with "pwgen -s 20 > 1", please try `pwgen -s 20 1 -cny` Best regards, -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
Kevin Kofler via devel wrote: > I have generated a new 20-character random password with "pwgen -s 20 1", See how easy that was. And your using random passcodes tells me that you keep them in a password manager, which means that you don't need to type the passcode, so you have no need to limit its length. Can't you find some actual problem to be angry over? Björn Persson pgpxgPVGDFVi5.pgp Description: OpenPGP digital signatur ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
W dniu 14.10.2022 o 03:39, Kevin Kofler via devel pisze: today, Red Hat Bugzilla forced me to change my password because apparently a password of 9 random alphanumeric+symbol characters (1 symbol, 8 mixed-case alphanumeric) is suddenly no longer considered secure enough. This is absolutely ridiculous for a bug tracker. This bug tracker is also used to track several other products. Has several bug raports marked as private for security or confidential or other reasons. Fedora is just one of products tracked there. It is not like that password is for a bank account or for a build system (I believe FAS and thus Koji actually has less stringent password security requirements than that!), so how secure does the password really have to be? 9 characters password in 2022 is considered 'easy breakable' thanks to power of GPUs. Maybe start using some password manager to generate and store long enough passwords? Or invent easy to remember ones like "I am Kevin Kofler and this is my password#$78"? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
V Fri, Oct 14, 2022 at 03:39:32AM +0200, Kevin Kofler via devel napsal(a): > today, Red Hat Bugzilla forced me to change my password because apparently a > password of 9 random alphanumeric+symbol characters (1 symbol, 8 mixed-case > alphanumeric) is suddenly no longer considered secure enough. This is > absolutely ridiculous for a bug tracker. It is not like that password is for > a bank account or for a build system (I believe FAS and thus Koji actually > has less stringent password security requirements than that!), so how secure > does the password really have to be? > Bugzilla contain data about embargoed vulnerabilities. -- Petr signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
On 14-10-2022 03:39, Kevin Kofler via devel wrote: It is not like that password is for a bank account or for a build system (I believe FAS and thus Koji actually has less stringent password security requirements than that!), so how secure does the password really have to be? You basically already mentioned your way out: log in with FAS. -- Sandro ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Ridiculous new Red Hat Bugzilla password security requirements
On Fri, Oct 14, 2022 at 1:39 AM Kevin Kofler via devel wrote: > ... but this is absolutely absurd. To (mis) quote Randy Bush: "their application, their rules". If you don't like them, find another provider. I hope that RedHat quickly supports passkeys, where this all becomes moot. Unless you share your specific password (please do *NOT* *NOT* do so), there is no way to know for sure if the password has other issues. For example, technically, PassWORD! meets most minimal length and mixed case requirements, but is clearly not a good password. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Ridiculous new Red Hat Bugzilla password security requirements
Hi, today, Red Hat Bugzilla forced me to change my password because apparently a password of 9 random alphanumeric+symbol characters (1 symbol, 8 mixed-case alphanumeric) is suddenly no longer considered secure enough. This is absolutely ridiculous for a bug tracker. It is not like that password is for a bank account or for a build system (I believe FAS and thus Koji actually has less stringent password security requirements than that!), so how secure does the password really have to be? I have generated a new 20-character random password with "pwgen -s 20 1", and that is good enough for Bugzilla (but who knows for how long?), but this is absolutely absurd. Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
