Pfsense password richness
-
This pfsense doc https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#Authentication presents a glimpse into the possible length and set of characters that can be used for a pfsense password since the move to using bcrypt. Yet it is quite vague.
This post https://forum.pfsense.org/index.php?topic=122845.0 suggests that the pfsense "input" field for password management may have "significantly reduced" the richness of our passwords.
bcrypt is reasonably described here https://en.wikipedia.org/wiki/Bcrypt. This is somewhat confusing since the algorithm is said to accommodate 72 characters for the input but later states a 56-char limit including the null terminator for the string leaving 55 usable.
To that end, please tell us
-
what is the maximum characters one can use in a pfsense password?
-
what are the set of characters one can use in the password?
-
have you crippled the richness by preventing special characters and if so can we get this back?
Bottom line- passwords should be long and rich! And that means special characters supported as well as both case alphas and numbers.
Ironically, I used a 24-character password with upper and lower case, numbers and special chars for this forum's user password…
thanks
oldunixguy -
-
The implementation of bcrypt on FreeBSD/pfSense has a 72-char limit: https://forum.pfsense.org/index.php?topic=129500.msg714274#msg714274
As for them being "rich", NIST now disagrees. They no longer recommend forced complexity requirements.
https://www.grahamcluley.com/new-nist-guidelines-do-away-with-periodic-password-changes/
As far as I can see, in the code there are no character limitations, but see above, re: complexity requirements
And not that it really matters, but XKCD also disagrees with "rich" passwords.
-
I disagree. I dont use words with substituted lookalike characters with 1 or l or o or 0 etc. this is easily guessed.
I use truly randomized characters and have to write them on a crib sheet I keep in the safe and an offline usb stick. these have very high entropy. Also sufficiently long phrases are good bu they mut be long.there are new standards that address login names and passwords found here that are quite useful.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
https://www.slideshare.net/jim_fenton/toward-better-password-requirements
https://pages.nist.gov/800-63-3/
thanks
oldunixguy -
there are new standards that address login names and passwords found here that are quite useful.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
https://www.slideshare.net/jim_fenton/toward-better-password-requirements
https://pages.nist.gov/800-63-3/
Those are all the same thing I linked above, which again does NOT favor complexity. You're free to make passwords however you like, of course. As long as they fit in the 72-character limit.
-
The password show in the xkcd comic is extremely difficult to crack. Even if an attacker learns that the password is made of dictionary words slapped together it doesn't help him much because then he has to guess the number of components used and the exact length of the plaintext password. Even if he manages those he runs against a combinatorial explosion of different word combinations and it's pretty much as hard as a simple brute force attack.
Please don't try to tell me that pre-calculating plain text words into password hashes would help with such multi-component passwords, if such thing was possible the hash function/password scheme would break immediately and completely.
