FESCO request to revert password confirmation change in F22

Reindl Harald h.reindl at thelounge.net
Sun Mar 8 19:21:21 UTC 2015

Am 08.03.2015 um 17:24 schrieb Nico Kadel-Garcia:
> There's also a counterproductive effect. Passwords that are enforced,
> by policy, to be nonsensical gibberish tend to be written down,
> because no one can remember them. And because no one can remember
> them, they're written down in easily accessed locations. The classic
> storage is the Post-it note on the secretary's desk, but I see a lot
> of people who should know better writing them into source control
> systems that everyone in the company can read


not so problematic in case of a policy rejecting "insecure" passwords 
*but* the real problem are security auditors claiming you have to 
disable the option to store a password in your browser for web-applications

yes, if someone can access that password store you have a problem but 
given you have a master-password configured the access to the whole 
firefox profile is pointless

if you are forced to note in somewhere it's likely a more dangerous 
place, if someone combines that policy with "you have to change your 
password every month" he is a fool with a theoretic view not aware what 
damage he does

as example my my passwords are 26 chars long, the generator is self 
written even using openssl random stuff and if some idiot forbids me to 
store that *impossible to remember* passwords and enforce to change them 
all the time he gains nothing but problems

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150308/49dd2b97/attachment.sig>

More information about the devel mailing list