Heads up - Anaconda 22.17 will enforce 'good' passwords

[Chris Murphy]

On Wed, Jan 28, 2015 at 5:33 PM, Samuel Sieb <samuel at sieb.net> wrote:

> I just don't understand the reasoning here.  Sure, make it very clear that
> the chosen password is weak.  Make me jump through several hoops before
> accepting the weak password.  But it's my computer!  Why can't I make the
> (informed) choice to use a weak password?

What was the reasoning from the Anaconda team the last time they tried
to enforce a password policy change without consulting anyone else
about it? It was conjecture. And they didn't ask any security experts
about the idea in advance then either. Calm, rational criticism was
met with stubborn condescension from the developers. It took a
firestorm on devel@ to get them to change their mind.

And this time, once again several people have offered calm, rational
feedback (on anaconda-devel@) about how this doesn't improve security
in any meaningful way, but does inhibit testing in a meaningful way.
But this has been ignored and summarily rejected. While consistent
with the track record, it's beyond tedious that anaconda devs tend to
respond better to vinegar than honey.

So, I'm not sure why you'd expect any kind of reasoning to be
presented for yet another installer security mis-feature that's
completely orthogonal to the original sshd proposal.

If this is really an improvement in security, which it isn't because
an 8 character "good" password still has very low entropy, then it
should have to go through the feature process, which it hasn't. Such
enforcement doesn't happen on Ubuntu, openSUSE, Android, iOS, Windows,
or OS X and I think the anaconda developers need to be very clear what
problem they're trying to address. Because right now it's a
faux-solution in search of a problem.

-- 
Chris Murphy