On Sun, Jun 18, 2017 at 12:19:46PM -0600, JD wrote: This seems... unnecssary. No one in GNOME is "disabling the user". Remember that Fedora — like GNOME, for that matter — is maintained by volunteers. For whatever reason, this package is marked as an "orphan". This means that there is not currently anyone volunteering to take care of it. If you'd like to help, see the process for claimin an orphaned package: https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers... -- Matthew Miller <mattdm(a)fedoraproject.org&gt; Fedora Project Leader

On 06/18/2017 07:03 PM, Tim wrote: 4. Used to be able to customize your desktop without installing third party add-ons that might break without warning at the next update.

On Sun, 18 Jun 2017 17:25:41 -0000 "Andre Robatino" <robatino(a)fedoraproject.org&gt; wrote: It doesn't have a gui that I know of, but I use pwgen from the Fedora repositories. It warns that the passwords are less secure than fully random passwords, but it allows passwords to be required to have a capital, a number, and a special character. When I put a 16 or 18 character password into a strength checker, it always comes out as highly secure. Of course, I don't remember those, I keep them in an encrpyted file and cut and paste them where needed. Not sure how secure using the paste buffer would be on a shared system.

BTW, just noticed a bug. pwgen doesn't have an option to use numbers only (for creating PINs) so I tried to use "pwgen -n 1" to generate a sequence of random digits. But all of the 1-character passwords are lower-case letters, no digits. Filed https://bugzilla.redhat.com/show_bug.cgi?id=1462557 .

Many websites don't allow even 30 chars. One of the important ones I use allows only 16 characters (and no 2FA option), but happens to allow special characters. Using the largest possible character set is the only way to shore that up.

On 06/18/2017 08:49 PM, Andre Robatino wrote: A credit card that I recall, allows 56 character paswords.

If you use a password manager, you can use a different strong random password for each site, and copy and paste it. Fifty characters is just as easy as 8, and means you don't have to worry about changing the password again (unless a website like Socialsecurity.gov forces you to, and they should eventually stop doing that). That works as long as the website isn't hacked. If it is, even if the passwords are hashed (which they often aren't), the hash can be cracked if the password is weak. This actually happened to my PayPal account in 2002. At the time, I was using a weak password vulnerable to a dictionary attack (but not to only several login attempts). PayPal sent me an email asking me to change my password, claiming it was just a random request and had nothing to do with a specific attack. Since I knew my password was secure against a handful of login attempts, I just changed the password and then immediately changed it back to the original one. Shortly after, my account was hacked and money was withdrawn from my bank account. PayPal admitted in a later email that there actually had been an attack where the password hashes were stolen (implying that they were lying the first time). PayPal did eventually reimburse me for the money. The point is that it's good if a website limits login attempts, but yo u can't rely on that. I always assume that the hash could become public, and choose my password accordingly. (Of course, many websites store passwords in plain text, in which case the only thing that helps is not using the same or similar password anywhere else.)

On Mon, 19 Jun 2017 04:48:16 -0000 "Andre Robatino" <robatino(a)fedoraproject.org&gt; wrote: How? Don't the attackers have to know the password hashing algorithm to do that? If they have enough penetration into the system to know that, couldn't they just capture the passwords when they were unhashed? i.e. could it have been that they let paypal know they had been compromised, so that a program they left on paypal's systems could report the unhashed passwords when paypal told their users to reset their passwords?

On Mon, 19 Jun 2017 11:12:20 -0400 Matthew Miller <mattdm(a)fedoraproject.org&gt; wrote: Why not use RSA? Create a set of RSA keys, and don't publish them. Encrypt each password with one of the keys, and store it in a database. When needed, decrypt it with the other RSA key. Or encrypt with the original key to compare with the database contents. If an attacker gets the database without the RSA keys, they are trying to decrypt the encrypted message without knowing the composite number that generated the keys. That is, they are trying to break RSA for all composite numbers the product of two large primes. Horrendous. And because these RSA keys aren't published, they can be nonstandard sizes. 4023? 3084? 6173? Good luck with that if you are the cracker. :-) This is private key RSA instead of public key RSA, more secure. Not roll your own crypto, extensively attacked and tested crypto. Sure, if your system gets compromised, and someone gains the keys, they break the encryption easily, but that isn't a crypto problem.

On Mon, 19 Jun 2017 17:35:10 -0000 "Andre Robatino" <robatino(a)fedoraproject.org&gt; wrote: Yes, that certainly seems sophisticated. Systems level thinking.

On Mon, 19 Jun 2017 15:54:25 -0400 Tom Horsley <horsley1953(a)gmail.com&gt; wrote: It might be that they are arguing about patent rights, but it could also be that the prototype is not robust enough to deal with everyday life. There is a huge junkyard between the bench and the shelf. It could also be that a government agency bought all the rights to the device, and is sitting on it because it is too secure. What would speculation be without conspiracy theories? :-)

On Mon, 19 Jun 2017 21:27:51 +0100 Patrick O'Callaghan wrote: But, but, but, they aren't quantum :-).

On Mon, 2017-06-19 at 00:17 -0700, Joe Zeff wrote: The problem with many of these "rules" is that they don't apply universally. A password suitable for a banking site is one thing, and a password for your home Wifi network is another. Never write down the first one (use a password manager), but feel free to write down the second one and keep it in a drawer. And where possible, use your router to configure a guest network with a different password and more restricted access for those times when you have visitors. I have a number of bank accounts in several countries (for perfectly legitimate reasons, I hasten to add) and in my experience each bank has its own rules which as often as not mitigate *against* good security practice, e.g. forcing you to change the password every 3 months (which invites password1, password2, password3 ...) or having their own peculiar Javascript which blocks you from using a password manager. One of them even disallows cut-and-paste, which tempts the user to have a password simple enough to remember and type by hand. poc

On Mon, Jun 19, 2017 at 08:36:35AM -0400, Tom Horsley wrote: possibly of brain-dead underlying systems that will accept only those characters. -- ---- Fred Smith -- fredex(a)fcshome.stoneham.ma.us ----------------------------- Show me your ways, O LORD, teach me your paths; Guide me in your truth and teach me, for you are God my Savior, And my hope is in you all day long. -------------------------- Psalm 25:4-5 (NIV) --------------------------------

On Mon, 2017-06-19 at 08:36 -0400, Tom Horsley wrote: I just use the X buffer copy-and-paste, which they don't seem to be aware of. Exactly. It also makes me question the competence of whoever programmed the website. Can it be that they only know how to read alphanumeric input? poc

On Mon, 2017-06-19 at 12:07 -0400, Tom Horsley wrote: Indeed. It's often the same kind of site that breaks when I input my surname ... poc

On Mon, 19 Jun 2017 12:51:30 +0930 Tim <ignored_mailbox(a)yahoo.com.au&gt; wrote: I don't think it has to be as low as 3. It could be 100 or 1000, a restriction that a human will never hit, but a cracking program will hit almost immediately. This makes it easy to separate attackers from legitimate users, and take appropriate action against the attackers. Ban their IP address? Notify their ISP? Track their botnet and disable it? I'm not sure there are effective defenses. An alternative is to look for frequency of login attempts. More than 1 every second implies a bot, not a human.

On 06/18/2017 01:55 PM, Andre Robatino wrote: I use "apg". It lets you choose the character classes you want included in the password and you can also exclude specific characters if necessary.

On 18.06.2017, stan wrote: Pwgen uses /dev/urandom, so the statement that those passwords are less secure than "fully" random passwords (define "fully random"..) is merely of academical nature. In case of any doubt, you can always do something like head /dev/random | tr -dc A-Za-z0-9 | head -c X where X is your password length. Tr also lets you tailor the characterset used.

On Mon, 19 Jun 2017 06:03:08 -0400 Tom Horsley <horsley1953(a)gmail.com&gt; wrote: I was using the same, but now find (qt)pass more pleasant to use. Sincerely, Gour -- As the ignorant perform their duties with attachment to results, the learned may similarly act, but without attachment, for the sake of leading people on the right path.

On Mon, Jun 19, 2017 at 8:42 AM, stan <stanl-fedorauser(a)vfemail.net&gt; wrote: I'm surprised no one has posted this yet: https://xkcd.com/936/ --Greg

On Mon, 19 Jun 2017 07:37:35 +0200 Heinz Diehl <htd+ml(a)fritha.org&gt; wrote: Here's my shell hack to generate passwords using the above. It saves the passwords in the file devurandom_password.txt in the home directory. #! /bin/bash # generate a password using a character set, /dev/urandom, # and tr to select the characters included. # The three arguments are # the character class to use to generate the password (default alnum) # and # the length of the password (default 20) # and # the number of passwords to generate (default 10) DPW=/home/$USER/devurandom_password.txt if [ "$#" = 0 ]; then set an 20 10 elif [ "$#" = 1 ]; then set $1 20 10 elif [ "$#" = 2 ]; then set $1 $2 10 fi echo "Passwords from /dev/urandom with $1" > $DPW echo '' >> $DPW for ((x = 0 ; x < $3 ; x = x + 1)) ; do if [ "$1" = an ]; then echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = al ]; then echo $(head /dev/random | tr -dc [:alpha:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = cn ]; then echo $(head /dev/random | tr -dc [:cntrl:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = di ]; then echo $(head /dev/random | tr -dc [:digit:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = gr ]; then echo $(head /dev/random | tr -dc [:graph:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = lo ]; then echo $(head /dev/random | tr -dc [:lower:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = pr ]; then echo $(head /dev/random | tr -dc [:print:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = pu ]; then echo $(head /dev/random | tr -dc [:punct:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = sp ]; then echo $(head /dev/random | tr -dc [:space:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = up ]; then echo $(head /dev/random | tr -dc [:upper:] | head -c $2) >> $DPW echo '' >> $DPW elif [ "$1" = xd ]; then echo $(head /dev/random | tr -dc [:xdigit:] | head -c $2) >> $DPW echo '' >> $DPW else echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW echo '' >> $DPW fi ; done exit 0 ;