we need to up the password policy character length for b.m.o to 8 characters.
Is there a particular reason that this is being requested right now? Just trying to understand all possible reasons/situations. What minimum length are other Mozilla sites using? I have no problem with the minimum length being larger for those with some type of special access, but most of our users aren't special, so maybe we should make a special case extension or something. Also, please remove infra from this bug. Only one of the four current bmo hackers is in that group. I've added the webtools-security group for now, but I don't think this really needs to be private at all, honestly.
min of 8 is going to be the standard for all sites moving forward.
Group: infra, webtools-security
As this has major implications with regards to existing users, we'll make this change part of the 4.0 upgrade. Committing to: bzr+ssh://bzr.mozilla.org/bmo/4.0/ modified Bugzilla/Constants.pm Committed revision 7490.
Assignee: nobody → reed
Status: NEW → ASSIGNED
Summary: password policy for b.m.o change → Use 8 characters as the minimum password length
(We are using bmo4.0-resolved for all bugs resolved by the upgrade, regardless of potential resolution.) Chris: are you OK with this? We'd rather have all the disruption in one go. The plan is to upgrade to 4.0 after Firefox 4 is released, so we don't disrupt engineering. Gerv
Whiteboard: bmo4.0-fixed → bmo4.0-resolved
(In reply to comment #4) > (We are using bmo4.0-resolved for all bugs resolved by the upgrade, regardless > of potential resolution.) > > Chris: are you OK with this? We'd rather have all the disruption in one go. The > plan is to upgrade to 4.0 after Firefox 4 is released, so we don't disrupt > engineering. > > Gerv yeah, post ff4 is fine given the schedules ahead of us.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
8 is now EASILY bruteforceable by GPU if someone ever steals a hash. Minimum should be 12-16 - and in this end, the requirement for a stupid uppercase character can be removed because the password entropy increases more-than-exponentially for a single extra character to have to try EVERYTHING ELSE for. http://xkcd.com/936 for gods sake
It's 2014 now with GPUs going crazy for bitcoin hashing - they can crack any 8 character password very quickly.… http://www.lockdown.co.uk/?pg=combi&s=articles
Offline brute forcing time is based off the strength of the hashes, not just the length of the password.
You need to log in before you can comment on or make changes to this bug.