Summary of password strength discussion

Michael Catanzaro mcatanzaro at
Thu Jul 23 16:55:47 UTC 2015


At the last WG meeting [1] we discussed the password strength issue. We
agreed on four main points:

1) Fedora Workstation will ship a custom .conf file in
/etc/security/pwquality.conf.d, which is now possible in F23 [2].
2) gnome-initial-setup will be modified to prevent the user from
setting a password that would be rejected by libpwquality.
3) We need to test a reasonable set of passwords we'd want to succeed,
to make sure the settings we chose in (1) are correct.
4) Our requirements for local password strength will allow passwords
that would be much too weak were remote access via SSH to be enabled.
We should have some user interaction when enabling SSH in the Sharing
panel to force the user to pick a much stronger password.

Note: point (1) allows corporate deployments to set their own password
polices, which will be respected by GNOME, to meet their own security
needs, by modifying /etc/security/pwquality.conf (which overrides the
settings in /etc/security/pwquality.conf.d).

Point (4) above sets the goal of setting stricter password requirements
when remote access is enabled. Remote access is disabled by default and
will remain disabled forever for most Workstation users, so it's not
appropriate for that case to dictate our default password requirements.
This means only physical adversaries are interesting to consider.

We haven't yet discussed what is the reasonable set of passwords we'd
want to succeed. I propose the following starting point for this
discussion, from [2]: "In Fedora Workstation, we expect passwords to be
used to provide good security against nontechnical human beings with
physical access to the computer, physically typing away at the
keyboard. By default, they aren't intended to protect against
sophisticated adversaries. We therefore want to allow users to set much
weaker passwords than are currently permitted by libpwquality, since
longer passwords don't provide any practical benefit to most of our

You might not worry about people breaking into your house to steal your
desktop computer, but we _should_ be concerned about laptops. But to
protect against a sophisticated physical adversary, disk encryption is
required and the local password is not very interesting.

We still need more effort to define what should be acceptable
passwords. One possibility: "Examples of acceptable passwords include
'berlin,' 'wombat,' and 'butter.' Any of these would work great at
keeping out a human typing on the keyboard." This implies that we
disable pwquality's use of cracklib in the pwquality configuration
file, and reduce the minimum acceptable characters down as far as
pwquality allows (6, I think).

Keep in mind that we've established that pwquality is not very good at
rating password strength.


More information about the desktop mailing list