[aur-dev] [PATCH] Increase minimum password length to 8 characters
Hi, I'm new to AUR so I hope sending a patch like this is the correct thing to do. There are 95 printable ASCII characters which with a minimum length of 4 gives 95^4 or 81 million possible passwords. Increasing the minimum length to 8 increases the number of possible passwords by a factor of about 10^7. I imagine most AUR users have pretty good password practice so they won't be affected by this change, but it will improve security for a subset of users. For a given user I can generate all 4 character passwords on my laptop in under 2 minutes in Python and therefore all 5 character passwords in a few hours. This change makes it much harder (but still nowhere near impossible) to brute force generate passwords. FS#52297 <https://bugs.archlinux.org/task/52297> Cheers, Alex
On Mon, 2017-01-02 at 12:41 +0000, Alex Muller via aur-dev wrote:
Hi,
I'm new to AUR so I hope sending a patch like this is the correct thing to do.
Use git-send-email(1) or send the patch inline instead of adding a patch as an attachment and make sure you sign-off on the patch.
There are 95 printable ASCII characters which with a minimum length of 4 gives 95^4 or 81 million possible passwords.
Increasing the minimum length to 8 increases the number of possible passwords by a factor of about 10^7. I imagine most AUR users have pretty good password practice so they won't be affected by this change, but it will improve security for a subset of users.
For a given user I can generate all 4 character passwords on my laptop in under 2 minutes in Python and therefore all 5 character passwords in a few hours. This change makes it much harder (but still nowhere near impossible) to brute force generate passwords.
Since this is also in the patch, I would not really include these paragraphs in the patch since they are not all that necessary to be that verbose about it.
FS#52297 <https://bugs.archlinux.org/task/52297>
I would change this to "Fixes: FS#52297" instead.
Cheers,
Alex
Mark Weiman
Since this is also in the patch, I would not really include these paragraphs in the patch since they are not all that necessary to be that verbose about it.
Removed a bit of the context from the commit message.
I would change this to "Fixes: FS#52297" instead.
Updated to just "Relates to" because I'd like to see the codebase stop using MD5 for passwords before I consider that fixed :) Patch follows, thanks for your help!
From d1cffe291c93073f62272c17aae1346dfabe4f55 Mon Sep 17 00:00:00 2001 From: Alex Muller <alex@mullr.net> Date: Mon, 2 Jan 2017 11:09:44 +0000 Subject: [PATCH] Increase minimum password length to 8 characters
There are 95 printable ASCII characters which with a minimum length of 4 gives 95^4 or 81 million possible passwords. Increasing the minimum length to 8 increases the number of possible passwords by a factor of about 10^7. Relates to FS#52297. Signed-off-by: Alex Muller <alex@mullr.net> --- conf/config.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config.proto b/conf/config.proto index 96fad80..63e2458 100644 --- a/conf/config.proto +++ b/conf/config.proto @@ -9,7 +9,7 @@ password = aur [options] username_min_len = 3 username_max_len = 16 -passwd_min_len = 4 +passwd_min_len = 8 default_lang = en sql_debug = 0 max_sessions_per_user = 8 -- 2.11.0
On Wed, 04 Jan 2017 at 00:03:35, Alex Muller via aur-dev wrote:
Patch follows, thanks for your help!
Merged to pu. Thanks!
participants (3)
-
Alex Muller
-
Lukas Fleischer
-
Mark Weiman