F23 Self Contained Change: Standardized Passphrase Policy

Matthias Clasen mclasen at redhat.com
Fri Jun 26 20:21:02 UTC 2015

On Tue, 2015-06-23 at 12:21 -0400, Jan Kurik wrote:
> = Proposed Self Contained Change: Standardized Passphrase Policy =
> https://fedoraproject.org/wiki/Changes/Standardized_passphrase_policy
> Change owner(s):
> * Kevin Fenzi <kevin at scrye dot com>
> * David Cantrell <dcantrell at redhat dot com>
> * Tomas Mraz <tmraz at redhat dot com> 
> Currently a number of places ask users to set passphrases/passwords. 
> Some of them enforce some kind of rules for passphrases/passwords, 
> others different rules. This change would create a common base policy 
> for as many of these applications as possible, allowing for local 
> users or products to override this base in cases they need to do so. 

But passwords and passphrases are not all the same shape or color - the
requirements for a password you want to use for ssh login over the
internet are quite different from ones for a shared account used by all
family members, or a passphrase that you use to protect your diary in
your home directory.

How does a single common policy make sense for such wildly different
use cases ?

Your list of applications looks like you are really only interested in
passwords for local user accounts, though. If that is the case, please
make that clear in the description.


> The applications involved in this change should be at least:
> * anaconda - sets initial root and user passphrases/passwords. 
> * passwd - command line utility that changes passphrases/passwords. 
> * initial-setup - sets up users if they were not setup in anaconda. 

You should add gnome-control-center to this list.

> * libpwquality - doesn't set passwords, but should be used in common 
> for quality checking in a consistent manner. 

All of the applications that you are listing are already using
libpwquality, which has not really helped to move us to a consistent
user experience in this area. We should evaluate if libpwquality is
really suitable for what we need here. 

More information about the devel mailing list