Summary of password strength discussion

Paul W. Frields stickster at
Thu Jul 30 15:41:20 UTC 2015

On Thu, Jul 23, 2015 at 11:55:47AM -0500, Michael Catanzaro wrote:
> Hi,
> At the last WG meeting [1] we discussed the password strength issue. We
> agreed on four main points:
> 1) Fedora Workstation will ship a custom .conf file in
> /etc/security/pwquality.conf.d, which is now possible in F23 [2].
> 2) gnome-initial-setup will be modified to prevent the user from
> setting a password that would be rejected by libpwquality.
> 3) We need to test a reasonable set of passwords we'd want to succeed,
> to make sure the settings we chose in (1) are correct.
> 4) Our requirements for local password strength will allow passwords
> that would be much too weak were remote access via SSH to be enabled.
> We should have some user interaction when enabling SSH in the Sharing
> panel to force the user to pick a much stronger password.
> Note: point (1) allows corporate deployments to set their own password
> polices, which will be respected by GNOME, to meet their own security
> needs, by modifying /etc/security/pwquality.conf (which overrides the
> settings in /etc/security/pwquality.conf.d).
> Point (4) above sets the goal of setting stricter password requirements
> when remote access is enabled. Remote access is disabled by default and
> will remain disabled forever for most Workstation users, so it's not
> appropriate for that case to dictate our default password requirements.
> This means only physical adversaries are interesting to consider.

The discussion ranged pretty far elsewhere in this thread, but the
summary I take away is:

* No real disagreements on 1-3 as far as establishing/enforcing
  policy; points below are regarding 4
* It's risky, maybe foolhardy, to muck with /etc/ssh/sshd_config to
  whitelist users or other config -- too many potential points of
  failure, adds code complexity, etc.

* Frobbing passwords again after enabling sshd.service also creates
  confusion (repeat {en,dis}ablements, how to propagate to other
  users, etc.)

  * Basically, the further we go down this road, the more confusing
    both the tools and the user experience gets.  (My personal feeling
    from observing the discussion is that initial password setting is
    the only point we should really do any enforcement, and trying to
    "backfill" the process is doomed.)

* Alternative of turning on sshd.service on a per-interface basis to
  change the surface of attack -- in other words, we reduce exposure
  for the user by not running sshd on non-trusted networks

* We still need to establish a list of words for point 3 to try
  against a libpwquality policy

Please let me know if I missed a major important point here.  I'm sure
some people may disagree with whatever decision is made, but we should
choose a path here.

Paul W. Frields                      
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717   -  -  -  -
    The open source story continues to grow:

More information about the desktop mailing list