FESCO request to revert password confirmation change in F22

Fri Mar 6 21:14:43 UTC 2015

On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
> * The workstation folks think this change could drive away some of
>   their potential users for not much gain. In their case, sshd is not
>   enabled/running and additional security for a device that sits in
>   your home isn't worth the additional complexity. 

Regarding Workstation: I don't think it provides any additional safety,
TBH. I see two cases:

* Case 1: The attacker has physical access to your computer. The user
account password is no protection: I think pretty much all of us know
how to boot a live image and copy files off the disk that way. A BIOS
password would actually help somewhat, to delay the attacker as long as
it takes the attacker to drain your battery to reset it. A disk
encryption password would be real security.

* Case 2: The attacker doesn't have physical access to your computer.
The user account password is irrelevant.

--- This is a pretty simple argument, can anyone point out a flaw? ---

My argument in Case 2 does fall down if the user enables SSH in the
Sharing panel of System Settings. That's indeed disabled by default,
though. It also falls down if the user enables VNC in the Sharing panel,
but that is an orthogonal issue as that's not your user account
password, and it's limited to eight characters regardless. I mention it
because I hesitate to add a password strength check when enabling SSH
unless we do so for VNC as well, which would be impossible. Maybe
someone else has a good idea here.

What if the attacker is not after any files on your computer, but just
your password so that he can reuse it somewhere else? In that case,
password strength still doesn't matter: if he can see the hash of your
password in /etc/shadow to try cracking it, he has already pwned you and
might as well log your keystrokes.

If the attacker is unskilled and doesn't know how to boot a live image,
and the password is *exceedingly* bad ("123", "alice", "mcatanzaro"
etc.), then it would matter if the attacker could guess it. I personally
see little harm in taking the ball away from those who'd use passwords
like those.

Possibly there is something I have missed -- if someone can set me
straight as to a safety issue I am missing, that'd be dandy -- but I for
one have yet to see an argument that the strength of the password
matters at all!

Now, enforcing a strong *disk encryption password* and turning on disk
encryption by default (at least for laptops): that would be some actual
security. :)

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150306/2410277e/attachment.sig>