Summary of password strength discussion

[Michael Catanzaro]

On Thu, 2015-07-23 at 13:45 -0400, Matthew Miller wrote:
> How would this work when there are multiple users on the system? 
> Would
> they all need to pick new passwords at this point?

Hadn't considered this. Does the sharing panel enables remote access
for all user accounts? That would not be very intuitive....

> For that matter, how do you know that the original passwords weren't
> already strong enough?

g-i-s and g-c-c could save the password strength when the password is
set. But if you set your original password some other way, then the
only way would be to force the user to enter his current password.
Which has to be done anyway to set the new one, so we probably just
assume the current password is not strong enough?

> I didn't look at the code, but I was just playing with libpwquality a
> little bit, and it appears that a number of basic checks, like 
> looking
> for palindromes, are actually disabled as part of disabling 
> dictionary
> checks. That may or may not be what you want. An alternative to
> disabling dictionary checks would be to use a smaller dictionary -
> still restricting password, 123456, qwerty, and the like (I think 
> it's
> reasonably argued that these would not be "great" at keeping out a
> human typing on they keyboard)

I think that's probably what we want.