# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
- # A note on security: The security of the RADIUS protocol
+ # A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
- # shared secret that is composed of:
- #
- # upper case letters
- # lower case letters
- # numbers
- #
- # And is at LEAST 8 characters long, preferably 16 characters in
- # length. The secret MUST be random, and should not be words,
- # phrase, or anything else that is recognisable.
+ # shared secret that at LEAST 16 characters long. It should
+ # preferably be 32 characters in length. The secret MUST be
+ # random, and should not be words, phrase, or anything else
+ # that is recognisable.
+ #
+ # Computing power has increased enormously since RADIUS was
+ # first defined. A hobbyist with a high-end GPU can try ALL
+ # of the 8-character shared secrets in about a day. The
+ # security of shared secrets increases MUCH more with the
+ # length of the shared secret, than with number of different
+ # characters used in it. So don't bother trying to use
+ # "special characters" or anything else in an attempt to get
+ # un-guessable secrets. Instead, just get data from a secure
+ # random number generator, and use that.
+ #
+ # You should create shared secrets using a method like this:
+ #
+ # d if=/dev/random bs=1 count=24 | base64
+ #
+ # This process will give output which takes 24 random bytes,
+ # and converts them to 32 characters of ASCII. The output
+ # should be accepted by all RADIUS clients.
+ #
+ # You should NOT create shared secrets by hand. They will
+ # not be random. They will will be trivial to crack.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
projects / thirdparty / freeradius-server.git / commitdiff
