Summary of password strength discussion

Chris Murphy lists at
Fri Jul 24 16:48:14 UTC 2015

On Fri, Jul 24, 2015 at 10:27 AM, Matthew Miller
<mattdm at> wrote:
> On Fri, Jul 24, 2015 at 09:40:53AM -0600, Chris Murphy wrote:
>> > would it be reasonable to expect the sort of user that wants to use
>> > SSH to be able to set that up?
>> No. PKA is an esoteric skill, and you're confused by thinking it's a
>> basic one.
> We could set up two-factor authentication with FreeOTP.
> Have the dialog provide a QR code for
>  a)
> and then also a token. Leave the users' password as six letters or
> whatever, but also require this for SSH.
> Still a little esoteric, but provisioning is easier, and people are
> getting more used to it in general, hopefully. And as a bonus, this
> jumps us up to level 3 identity assurance, I believe.

OK, but still not by default. Not everyone has a smart phone. And mine
runs into this FreeOTP bug:

This stuff has to be opt in, not opt out.

Chris Murphy

More information about the desktop mailing list