FESCO request to revert password confirmation change in F22
Reindl Harald
h.reindl at thelounge.net
Sun Mar 8 19:21:21 UTC 2015
Am 08.03.2015 um 17:24 schrieb Nico Kadel-Garcia:
> There's also a counterproductive effect. Passwords that are enforced,
> by policy, to be nonsensical gibberish tend to be written down,
> because no one can remember them. And because no one can remember
> them, they're written down in easily accessed locations. The classic
> storage is the Post-it note on the secretary's desk, but I see a lot
> of people who should know better writing them into source control
> systems that everyone in the company can read
correct
not so problematic in case of a policy rejecting "insecure" passwords
*but* the real problem are security auditors claiming you have to
disable the option to store a password in your browser for web-applications
yes, if someone can access that password store you have a problem but
given you have a master-password configured the access to the whole
firefox profile is pointless
if you are forced to note in somewhere it's likely a more dangerous
place, if someone combines that policy with "you have to change your
password every month" he is a fool with a theoretic view not aware what
damage he does
as example my my passwords are 26 chars long, the generator is self
written even using openssl random stuff and if some idiot forbids me to
store that *impossible to remember* passwords and enforce to change them
all the time he gains nothing but problems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150308/49dd2b97/attachment.sig>
More information about the devel
mailing list