F23 Self Contained Change: Standardized Passphrase Policy
Kevin Fenzi
kevin at scrye.com
Fri Jun 26 20:53:33 UTC 2015
On Fri, 26 Jun 2015 16:21:02 -0400
Matthias Clasen <mclasen at redhat.com> wrote:
> But passwords and passphrases are not all the same shape or color -
> the requirements for a password you want to use for ssh login over the
> internet are quite different from ones for a shared account used by
> all family members, or a passphrase that you use to protect your
> diary in your home directory.
>
> How does a single common policy make sense for such wildly different
> use cases ?
>
> Your list of applications looks like you are really only interested in
> passwords for local user accounts, though. If that is the case, please
> make that clear in the description.
Side note: IMHO, we should remove and stop using the term
'password'. It evokes back to the early days of UNIX where you had to
choose a 8 character or less 'word' to gain access to something. All
our tools can and should use much longer phrases.
And yes, you are right there's different needs for different things and
I was focusing on local uses. (Local logins, luks, etc) I'll see if I
can clarify the change page for that. thanks.
> [...]
>
> > The applications involved in this change should be at least:
> > * anaconda - sets initial root and user passphrases/passwords.
> > * passwd - command line utility that changes passphrases/passwords.
> > * initial-setup - sets up users if they were not setup in anaconda.
>
> You should add gnome-control-center to this list.
Good idea. Will do so.
> > * libpwquality - doesn't set passwords, but should be used in
> > common for quality checking in a consistent manner.
>
> All of the applications that you are listing are already using
> libpwquality, which has not really helped to move us to a consistent
> user experience in this area. We should evaluate if libpwquality is
> really suitable for what we need here.
Well, I think there's some confusion on how to actually "use"
libpwquality. There are basically no docs and I think it's being used
different ways in different cases. But yes, if it doesn't meet needs we
could look at alternatives. I am hopeful we can better use it or adjust
it and keep using it, but we will see.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150626/c75375e7/attachment.sig>
More information about the devel
mailing list