Use 8 characters as the minimum password length

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
General
--
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: clyon, Assigned: reed)

Tracking

Details

(Whiteboard: [bmo4.0-resolved])

(Reporter)

Description

7 years ago
we need to up the password policy character length for b.m.o to 8 characters.
(Assignee)

Comment 1

7 years ago
Is there a particular reason that this is being requested right now? Just trying to understand all possible reasons/situations.

What minimum length are other Mozilla sites using? I have no problem with the minimum length being larger for those with some type of special access, but most of our users aren't special, so maybe we should make a special case extension or something.

Also, please remove infra from this bug. Only one of the four current bmo hackers is in that group. I've added the webtools-security group for now, but I don't think this really needs to be private at all, honestly.
Group: webtools-security
(Reporter)

Comment 2

7 years ago
min of 8 is going to be the standard for all sites moving forward.
Group: infra, webtools-security
(Assignee)

Comment 3

7 years ago
As this has major implications with regards to existing users, we'll make this change part of the 4.0 upgrade.

Committing to: bzr+ssh://bzr.mozilla.org/bmo/4.0/
modified Bugzilla/Constants.pm
Committed revision 7490.
Assignee: nobody → reed
Status: NEW → ASSIGNED
Whiteboard: bmo4.0-fixed
(Assignee)

Updated

7 years ago
Summary: password policy for b.m.o change → Use 8 characters as the minimum password length
(We are using bmo4.0-resolved for all bugs resolved by the upgrade, regardless of potential resolution.)

Chris: are you OK with this? We'd rather have all the disruption in one go. The plan is to upgrade to 4.0 after Firefox 4 is released, so we don't disrupt engineering.

Gerv
Whiteboard: bmo4.0-fixed → bmo4.0-resolved
(Reporter)

Comment 5

7 years ago
(In reply to comment #4)
> (We are using bmo4.0-resolved for all bugs resolved by the upgrade, regardless
> of potential resolution.)
> 
> Chris: are you OK with this? We'd rather have all the disruption in one go. The
> plan is to upgrade to 4.0 after Firefox 4 is released, so we don't disrupt
> engineering.
> 
> Gerv

yeah, post ff4 is fine given the schedules ahead of us.

Updated

7 years ago
Whiteboard: bmo4.0-resolved → [bmo4.0-resolved]
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org

Comment 6

4 years ago
8 is now EASILY bruteforceable by GPU if someone ever steals a hash.

Minimum should be 12-16 - and in this end, the requirement for a stupid uppercase character can be removed because the password entropy increases more-than-exponentially for a single extra character to have to try EVERYTHING ELSE for.

http://xkcd.com/936 for gods sake

Comment 7

4 years ago
It's 2014 now with GPUs going crazy for bitcoin hashing - they can crack any 8 character password very quickly.…

http://www.lockdown.co.uk/?pg=combi&s=articles
Flags: needinfo?
(Assignee)

Comment 9

4 years ago
Offline brute forcing time is based off the strength of the hashes, not just the length of the password.
Flags: needinfo?
You need to log in before you can comment on or make changes to this bug.