On Thu, Feb 26, 2015 at 3:30 AM, Hubert Kario <hkario(a)redhat.com> wrote:
Talking about entropy without talking about how severe will be the
limiting or password lifetimes will also lead us nowhere.
OK, so the password lifetime thing: I just fired my ISP for having 3
month mandatory password changes. I think it's a bad idea that
actually makes us less safe.
If we use the NIST recommendation of 100 unsuccessful login attempts
lockout account and 30 day password rotation, then we may be fine with just 10
bit entropy - that of a random 4 digit PIN or single dictionary password.
OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's
been the same for 8+ years.
I strongly advise when considering what work needs to be done, you
consider what sort of work will be resoundly rejected. Overwhelmingly
users will reject both password quality enforcement and expirations.
So if they're totally off the table, now what? What's your next design
idea for harding? Because *that* is the one that probably has the best
bang for the buck.
To put a finer point on this: some of you probably assume the human
primate is much more agreeable than they really are. The thing is, as
soon as they get to a certain threshold of frustration, they go
bezerk. They scream, they throw things, they create uproar, make all
sorts of off topic rants and insults – incredible amounts of
irrational behavior. And there's a reason for this. It's a successful
sociological behavior. If the uproar is just wide spread enough, if
enough peripheral individuals who otherwise would say nothing see a
fellow primate flipping out then they feels like it's socially
acceptable to complain also (rationally or irrationally) when they
otherwise wouldn't; people will be sucked into a vortex of
manufactured controversy explicitly (though unconsciously) designed
for the minority to veto a change. The entire point is to be
And this has happened before on this very issue the last time Anaconda
folks changed the password behavior. And I think the current behavior
in the installer (the change) is more controversial than that one.
Now maybe our fellow primates get riled up and worn out about some
other controversy first. And somehow the password change sneaks in
under the radar. I seriously doubt it, and I think expecting it will
is very high risk. I think we're better off assuming the worst, not
the best, and trying to leave the unpredictable user out of the
equation entirely until absolutely necessary.
So for any of you who don't like verbal fist fights? You're not
serious. You don't take these changes seriously enough if you're not
willing to argue vehemently, angrily, in favor of them. You have to
demonstrate to your fellow primates that this is serious business and
we have no alternatives right now than to shift the burden to the
user. If you can't do that and stick with it, give it up. Instead,
consider the alternatives that don't require user cooperation.