Just FYI, this will likely be my last post to this thread.
On Fri, 30 Jan 2015 12:59:12 -0700
Chris Murphy <lists(a)colorremedies.com> wrote:
ATMs have rate and retry limits, among other mechanisms, to permit a
4
digit numeric PIN being adequately secure. Does Fedora have limits on
rate and retries? If not, why not?
I think there are in ssh. I don't know the details.
User who want or need more secure passwords can always opt in
without
affect anyone else. Why is the project's installer not merely
questioning the user's veracity and competency, but disallowing them,
by force, from doing what they think is in their best interest?
Because you cannot just say "This is some decision, I know whatever I
do will have good and bad tradeoffs, therefore, I will just not decide
and expose all the possible choices to the user". Thats just not
tenable.
What is the plan should no one care to harden Fedora security in
other
ways? 16 character passwords are next? The diceware minimum
recommended passphrase is made of 5 words. If the project cares so
much about other people's minimum acceptable security that it's
willing to enforce this under duress, why not make it actually
meaningful? Oh, because a 20 character passphrase being compulsory
might actually make too many users angry for suggesting their
passwords are shit.
I don't know that there's any plans to go higher.
The Fedora account system requires 9 (if mixed with different case and
puncuation).
> apg (along with many other things) can generate you a list of
> passwords and 'pwscore' can make sure they will pass the same tests
> anaconda would give them.
>
> IMHO, this isn't so big a deal.
And apg and pwscore are going to be integrated into the Anaconda GUI?
I doubt it?
Or will the GUI simply be an enforcer while providing zero
assistance
in selecting an appropriate password? What feedback will the user be
given so they understand what exact change in behavior they need to
make?
I don't know. Perhaps you could provide some sensible RFE on what
feedback it should/could give?
Have you actually played with pwscore?
Yes.
# pwscore root
shrkobtk
1
# pwscore root
tableprison
41
# pwscore root
inforats
Password quality check failed:
The password fails the dictionary check - it is based on a
dictionary word
This defies belief. Random scores lowest. Two dictionary words scores
average. A dictionary word fragment and a plural noun is disqualified.
Ridiculous.
Feel free to file bugs on it. I suspect the random one is due to it
being short as well as all lower case and containing no numbers.
> I'll have to change my throw away
> instance test password from 'abc123' to something like 'tacosyum99'
> Shrug.
You fail to understand the can of worms opened up by this. My trust in
Fedora is diminished because of the theatrics and indiscriminately
shifting this burden onto all users. The arguments in favor thus far
are demonstrably specious, so there must be some other explanation for
why the change is being made.
I think most people think it's not such a big deal and cannot see why
you are so stridently affected by it.
kevin