FESCO request to revert password confirmation change in F22

Tue Mar 10 20:16:44 UTC 2015

On Tue, Mar 10, 2015 at 4:15 AM, Björn Persson <Bjorn at rombobjörn.se> wrote:
> Kevin Kofler wrote:
>> The user surely knows better what a good password is than the
>> software does. If the user picks a crappy password, there's probably a good
>> reason.
>
> There are two possible reasons why you would say that. Either you
> haven't even looked at the Ars Technica articles that have been
> discussed in this thread, or else you believe that a majority of users
> of all sorts of web services think it's all right if all the spies and
> script kiddies in the world have full access to their accounts.

I do not deny that weak passwords in certain contexts expose users to
risks *I* don't feel comfortable with. Educating them is appropriate
to the degree I think it's an obligation. Coercing them is
inappropriate to the degree I'd rather see them hacked.

Propose an ethical challenge to that.

What's been proposed (and implemented) in the installer right now
embraces the slipper slope of taking responsibility for a class of
users. This is fraught with epistemic questions, including ethical
ones. And the choice is to go after very weak passwords, but not weak
ones. Why?

What happens to this debate if the minimum passphrase is set to 25
characters? This has sound basis, congruent with all of the concerns
from various popular web sites and services, to the cited XKCD, Ars
Technica, Schneier articles, and others I've cited elsewhere including
security@ list on this topic.

Today Schneier raises the possibility the NSA has broken Microsoft's
BitLocker. And yet we're debating whether to babysit users passwords.
It's a juxtaposition that amuses me greatly. But it's a digression.

So why not a 25 character limit? How does that change the debate? I
for one would stop even debating it. I think even Kevin could consider
just giving up the debate, because at that point, there would be
thousands of users who would be having conniption fits. I doubt anyone
would dispute this.

So what does that tell us? It tells us people don't like being
coerced. They don't like their judgement questioned. And it tells us
password enforcement proponents presume that all of these ethical
problems can be swept under the rug when there are few complainers.
Ergo, might makes right.

And promptly you've arrived at the very old debate of Thrasymachus.
You do not get to just set it aside just because you don't like either
its questions or its conclusions.

What is Fedora going to be as it grows up? An enforcer of principles?
An encourager of principles? An aggressive educator of principles?

Let's try a real world example:

Briefly opine on the fact on my mobile device I don't set a password
at all. It's just a lock screen. Anyone can unlock it. I also don't
encrypt it. Does it make you nervous on my behalf? Do you think it's
bad judgment? Do you lock and/or encrypt your wallet? If not, why not?
How is a mobile device different from a wallet (other than the obvious
physical differences)? Are Google, Cyanogen, Apple, Microsoft acting
wrongly by permitting no passwords on mobile devices? If so, why would
they do this?

I use a relatively strong 6 word passphrase for FDE on my laptop
however. How do you account for this difference in policy? If you
can't explain this sufficiently that you can enable it as an
enforceable policy, I don't see how you've done the very basic (though
extremely difficult and expensive) epistemic work to start forcing
people to change their behavior rather than just educate them. Because
without that, I think you'll lack sufficient mandate for a might makes
right policy.

-- 
Chris Murphy