Heads up - Anaconda 22.17 will enforce 'good' passwords
Chris Murphy
lists at colorremedies.com
Fri Jan 30 21:40:07 UTC 2015
On Fri, Jan 30, 2015 at 1:13 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> Just FYI, this will likely be my last post to this thread.
>
> On Fri, 30 Jan 2015 12:59:12 -0700
> Chris Murphy <lists at colorremedies.com> wrote:
>> User who want or need more secure passwords can always opt in without
>> affect anyone else. Why is the project's installer not merely
>> questioning the user's veracity and competency, but disallowing them,
>> by force, from doing what they think is in their best interest?
>
> Because you cannot just say "This is some decision, I know whatever I
> do will have good and bad tradeoffs, therefore, I will just not decide
> and expose all the possible choices to the user". Thats just not
> tenable.
Except we do exactly that with custom partitioning on UEFI systems, by
making users responsible for things they've never previously been
responsible for, and the same developers defend this UI with "users
are expected to know what they're doing" in that UI.
And at the same time, tenable has been, we haven't had a password
requirement up until now, the same as every other major distro and OS
on the planet. Can anyone name another OS that has a minimum quality
password enforcement by default for device login access? I can't think
of any.
>> > I'll have to change my throw away
>> > instance test password from 'abc123' to something like 'tacosyum99'
>> > Shrug.
>>
>> You fail to understand the can of worms opened up by this. My trust in
>> Fedora is diminished because of the theatrics and indiscriminately
>> shifting this burden onto all users. The arguments in favor thus far
>> are demonstrably specious, so there must be some other explanation for
>> why the change is being made.
>
> I think most people think it's not such a big deal and cannot see why
> you are so stridently affected by it.
Its affect on me personally is moot. I am a user advocate, and as such
I trust the overwhelming majority of users to set an appropriate
password for their use case, rather than this condescending baby
sitting nonsense that impacts security almost nil, and impacts
usability significantly and disproportionately.
I think users should be educated and incentivized to make the right
choices for their use case. By making this involuntary the project is
absolutely saying "we do not trust the user to make this decision
voluntarily, which is why have to force them into making better
passwords regardless of the context and use case."
When you stop trusting me. I stop trusting you. And that's a huge
problem, and thus far the engineering types are looking at this with
narrow vision, it's 2 more key presses. They aren't looking at this at
all from the perspective of its connotation.
Not even Windows, that rat trap of security problems, requires this of
me. What's wrong with Fedora that I am *required* to have a stronger
password here than on any of my other devices?
--
Chris Murphy
More information about the test
mailing list