Summary of password strength discussion

Chris Murphy lists at colorremedies.com
Mon Jul 27 17:19:41 UTC 2015 

On Mon, Jul 27, 2015 at 8:06 AM, Matthew Miller
<mattdm at fedoraproject.org> wrote:
> On Fri, Jul 24, 2015 at 01:01:47PM -0600, Chris Murphy wrote:
>> Mac users less advanced than Fedora users, but Fedora users not body
>> armor. And not just available and suggested, they have to put it on. I
>> just...  it's totally baffling to me. I really do not get it.
>
> I guess... I don't feel personally responsible for what happens to the
> Mac users?

Why do you feel responsible for the behavior of Fedora users?



>
>> I'm not asking where the fire is, because I'm still waiting for
>> someone to point out the smoke.
>
> I've been a sysadmin for long enough in environments which burned to
> the ground over this. I don't think it's that hard to be _minimally
> responsible_.

Are you saying that best practices were followed in all other ways in
those environments, except for password quality?

Why is password quality being targeted rather than the number of ssh
attempts being set to e.g. 3 per minute, by default? And does this
sufficiently mitigate the concern, and if not, why not?

Whatever minimum quality is arrived at for Fedora 23 will likely be
obsolete for Fedora 24, certainly obsolete for Fedora 25. So at least
it's annual discussions to raise the minimum password quality. That's
how fast the minimum is escalating, once you choose to become
responsible for the behavior of others' login passwords.

So no, I don't think it's easy. I think it's easier to choose things
that don't require much discussion because they have next to no impact
on legitimate usage, even if they take more work to build. At least
the work goes into building real defenses rather than arguing about
fake ones. And I think password quality for logins it's completely
fake - it's a distraction.

And I think that because of the example I made previously - Apple
doesn't give a crap about password quality and yet that world isn't
burning. Why not? Clearly it's not about the password quality
enforcement because they have none.


-- 
Chris Murphy

More information about the desktop mailing list