Bug#998408: debian-installer: "good password" advise
Source: debian-installer
Version: 20210731+deb11u1
Severity: normal
Tags: upstream
X-Debbugs-Cc: alx.manpages@gmail.com
Dear Maintainer,
The Debian installer contains the following advise:
"A good password will contain a mixture of letters, numbers and punctuation
and should be changed at regular intervals."
I disagree with this statement, which has been passing around for decades
in many different environments, as a "universal truth" which only causes
headaches and ends up necessarily in <https://xkcd.com/936/>.
The opposite is actually true:
- _Good_ passwords don't need to be changed that much. When was the last
time you changed your PGP key? Probably never.
- Especially, if you use a different password for every different account,
you don't need to change them at all, unless they have been stolen, or
you suspect that might have happened.
- Adding punctuation to passwords only adds problems to yourself when you
need to type it in a different keyboard, not to a computer that can
brute force it. To put some numbers:
a) Different characters if you use only (uppercase and lowercase) letters
and numbers:
26 letters * 2 + 10 numbers = 62
b) Now, assume you can use the symbols available in your keyboard. My
ANSI keyboard shows 32 different symbols other than the above.
62 + 32 = 94
Let's compare a 32-byte password using (b), to a 64-byte password
using only (a):
62**64 = 5.16e+114 combinations
94**32 = 1.38e+63 combinations
You would only need 38 characters of an alphanumeric password
to have the same strength aprox (1.29e+68) than a braindamaged
symbol password of 32 characters.
So, you're adding difficulty to typing your own password for no reason
all when you could just add a few more bytes to your sane password.
If you're using a password manager, it can surely remember 64 bytes of
alphanumeric bytes. I'm not sure if it will remember correctly some
weird combination of characters. So if youre using a password manager,
the best advise would be to use $(makepasswd --chars 64) and forget it.
I must confess I have passwords that would make xkcd guys laugh, and
they are for the few sites that still have those weird requirements.
And when I'm forced to update it, you can guess how I do it :)
(I don't feel guilty; not my fault).
And if you need a password that you should remember, like your BIOS
password, or your login password, you can't use a password manager, so
there's even more reason to use a memorable but long one, and forget
about the symbols. $(goxkcdpwgen) should work for you, and maybe you
can use some options to it if you want a longer one.
So my advise would be instead:
"A good password will not need rare characters, but rather be as long
as possible. Having a memorable random password can help it be
longer, and therefore stronger."
Or something similar.
Sorry for the rant :-)
Thanks,
Alex
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.14.0-3-amd64 (SMP w/12 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: