Do you think this is a security risk and if not is it a bad UI decision?

Stef Walter stefw at redhat.com
Mon May 6 19:37:17 UTC 2013


On 06.05.2013 18:38, Adam Williamson wrote:
> On Mon, 2013-05-06 at 11:43 -0400, Rahul Sundaram wrote:
>> On 05/06/2013 10:48 AM, Miloslav Trma─Ź wrote:
>>
>>>
>>> On Sat, May 4, 2013 at 6:31 AM, Rahul Sundaram wrote:
>>>         On 05/04/2013 12:24 AM, Eric Sandeen wrote:
>>>                 On the other hand, if it's the right thing to do,
>>>                 then it needs to be done for GUI password change
>>>                 dialogs and the passwd command should be updated as
>>>                 well, for consistency, no?
>>>         
>>>         
>>>         On a related note, Anaconda,  GNOME, KDE etc seems to be
>>>         relying on different rules about what an acceptable password
>>>         is.  We really need to settle on one library and provide a
>>>         consistent way to tweak it.
>>> "Everything" (certainly Anaconda and GNOME, not sure about KDE) is
>>> supposed to use libpwquality.  Is that not so?
>>>
>>
>> They are definitely not enforcing the same rules. 
> 
> One obvious area of inconsistency is that some of the tools _warn_ on
> weak passwords, and some _block_ on weak passwords. We should
> standardize on one or the other of those.

Not really. It makes complete sense to allow overriding the rules in
certain contexts. For example when root is setting another user's password.

Cheers,

Stef




More information about the devel mailing list