Summary of password strength discussion

Matthew Miller mattdm at
Mon Jul 27 17:49:49 UTC 2015

On Mon, Jul 27, 2015 at 11:19:41AM -0600, Chris Murphy wrote:
> > I guess... I don't feel personally responsible for what happens to the
> > Mac users?
> Why do you feel responsible for the behavior of Fedora users?

That's not what I said.

> > I've been a sysadmin for long enough in environments which burned to
> > the ground over this. I don't think it's that hard to be _minimally
> > responsible_.
> Are you saying that best practices were followed in all other ways in
> those environments, except for password quality?
> Why is password quality being targeted rather than the number of ssh
> attempts being set to e.g. 3 per minute, by default? And does this
> sufficiently mitigate the concern, and if not, why not?

Reducing number of possible attempts is certainly part of the same
calculation; basically, we want an appropriate level of password
entropy for the permitted rate of attempts and the password lifetime.
It doesn't need to be — and shouldn't be — overkill, but I don't think
it's responsibile of us to set the defaults too low, either.

> Whatever minimum quality is arrived at for Fedora 23 will likely be
> obsolete for Fedora 24, certainly obsolete for Fedora 25. So at least
> it's annual discussions to raise the minimum password quality. That's
> how fast the minimum is escalating, once you choose to become
> responsible for the behavior of others' login passwords.

I don't think this is necessarily true.

> So no, I don't think it's easy. I think it's easier to choose things
> that don't require much discussion because they have next to no impact
> on legitimate usage, even if they take more work to build. At least
> the work goes into building real defenses rather than arguing about
> fake ones. And I think password quality for logins it's completely
> fake - it's a distraction.

I agree that if we increase other defenses this one becomes less of a
hole on its own.

Matthew Miller
<mattdm at>
Fedora Project Leader

More information about the desktop mailing list