FESCO request to revert password confirmation change in F22
Mike Pinkerton
pselists at mindspring.com
Tue Mar 10 11:54:11 UTC 2015
On 10 Mar 2015, at 07:00, Matěj Cepl wrote:
> On 2015-03-10, 10:15 GMT, Björn Persson wrote:
>>> The user surely knows better what a good password is than the
>>> software does. If the user picks a crappy password, there's
>>> probably a good
>>> reason.
>>
>> There are two possible reasons why you would say that. Either you
>> haven't even looked at the Ars Technica articles that have been
>> discussed in this thread, or else you believe that a majority of
>> users
>> of all sorts of web services think it's all right if all the spies
>> and
>> script kiddies in the world have full access to their accounts.
>
> I think certainly there should be some protection against
> passwords like "monkey" (why monkey and not kangaroo, for
> example?) or "iloveyou" (as the Pope Francis said our message
> should be based on love not hate!), but when it tries to do too
> much more it is getting in the way even to the people who
> actually know what they are talking about. VM machine used only
> for temporary compilation on the old platform just doesn't have
> to have 63-random-chars password from
> https://www.grc.com/passwords.htm
At the risk of complicating someone's life:
Given that pattern-based attacks make meaningful password quality
checking nigh impossible, why not just drop password quality checks.
Instead, give a simple explanation that a secure password should:
* be at least xx random characters in length, utilize both lower and
upper case letters, as well as numerals and special characters, and
not contain any human recognizable pattern -- and that any pattern
that one can easily remember is probably insecure; or
* be generated by a suitably random password generator, such as a 7
word Diceware password.
Then embed a random password generator, such as /usr/bin/apg, and
give the user a choice of generating a random password of whatever
length the user wants, or simply entering whatever insecure password
the user deems appropriate given the anticipated use of the installed
OS.
--
Mike
More information about the devel
mailing list