Closed
Bug 623261
Opened 14 years ago
Closed 13 years ago
Use 8 characters as the minimum password length
Categories
(bugzilla.mozilla.org :: General, defect)
bugzilla.mozilla.org
General
Tracking
()
RESOLVED
FIXED
People
(Reporter: clyon, Assigned: reed)
Details
(Whiteboard: [bmo4.0-resolved])
we need to up the password policy character length for b.m.o to 8 characters.
Assignee | ||
Comment 1•14 years ago
|
||
Is there a particular reason that this is being requested right now? Just trying to understand all possible reasons/situations. What minimum length are other Mozilla sites using? I have no problem with the minimum length being larger for those with some type of special access, but most of our users aren't special, so maybe we should make a special case extension or something. Also, please remove infra from this bug. Only one of the four current bmo hackers is in that group. I've added the webtools-security group for now, but I don't think this really needs to be private at all, honestly.
Group: webtools-security
Reporter | ||
Comment 2•14 years ago
|
||
min of 8 is going to be the standard for all sites moving forward.
Group: infra, webtools-security
Assignee | ||
Comment 3•14 years ago
|
||
As this has major implications with regards to existing users, we'll make this change part of the 4.0 upgrade. Committing to: bzr+ssh://bzr.mozilla.org/bmo/4.0/ modified Bugzilla/Constants.pm Committed revision 7490.
Assignee: nobody → reed
Status: NEW → ASSIGNED
Whiteboard: bmo4.0-fixed
Assignee | ||
Updated•14 years ago
|
Summary: password policy for b.m.o change → Use 8 characters as the minimum password length
Comment 4•14 years ago
|
||
(We are using bmo4.0-resolved for all bugs resolved by the upgrade, regardless of potential resolution.) Chris: are you OK with this? We'd rather have all the disruption in one go. The plan is to upgrade to 4.0 after Firefox 4 is released, so we don't disrupt engineering. Gerv
Whiteboard: bmo4.0-fixed → bmo4.0-resolved
Reporter | ||
Comment 5•14 years ago
|
||
(In reply to comment #4) > (We are using bmo4.0-resolved for all bugs resolved by the upgrade, regardless > of potential resolution.) > > Chris: are you OK with this? We'd rather have all the disruption in one go. The > plan is to upgrade to 4.0 after Firefox 4 is released, so we don't disrupt > engineering. > > Gerv yeah, post ff4 is fine given the schedules ahead of us.
Updated•13 years ago
|
Whiteboard: bmo4.0-resolved → [bmo4.0-resolved]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
8 is now EASILY bruteforceable by GPU if someone ever steals a hash. Minimum should be 12-16 - and in this end, the requirement for a stupid uppercase character can be removed because the password entropy increases more-than-exponentially for a single extra character to have to try EVERYTHING ELSE for. http://xkcd.com/936 for gods sake
It's 2014 now with GPUs going crazy for bitcoin hashing - they can crack any 8 character password very quickly.… http://www.lockdown.co.uk/?pg=combi&s=articles
Flags: needinfo?
Assignee | ||
Comment 9•10 years ago
|
||
Offline brute forcing time is based off the strength of the hashes, not just the length of the password.
Flags: needinfo?
You need to log in
before you can comment on or make changes to this bug.
Description
•