FESCO request to revert password confirmation change in F22

Mike Pinkerton pselists at mindspring.com
Tue Mar 10 11:54:11 UTC 2015

On 10 Mar 2015, at 07:00, Matěj Cepl wrote:

> On 2015-03-10, 10:15 GMT, Björn Persson wrote:
>>> The user surely knows better what a good password is than the
>>> software does. If the user picks a crappy password, there's  
>>> probably a good
>>> reason.
>> There are two possible reasons why you would say that. Either you
>> haven't even looked at the Ars Technica articles that have been
>> discussed in this thread, or else you believe that a majority of  
>> users
>> of all sorts of web services think it's all right if all the spies  
>> and
>> script kiddies in the world have full access to their accounts.
> I think certainly there should be some protection against
> passwords like "monkey" (why monkey and not kangaroo, for
> example?) or "iloveyou" (as the Pope Francis said our message
> should be based on love not hate!), but when it tries to do too
> much more it is getting in the way even to the people who
> actually know what they are talking about. VM machine used only
> for temporary compilation on the old platform just doesn't have
> to have 63-random-chars password from
> https://www.grc.com/passwords.htm

At the risk of complicating someone's life:

Given that pattern-based attacks make meaningful password quality  
checking nigh impossible, why not just drop password quality checks.

Instead, give a simple explanation that a secure password should:

*  be at least xx random characters in length, utilize both lower and  
upper case letters, as well as numerals and special characters, and  
not contain any human recognizable pattern -- and that any pattern  
that one can easily remember is probably insecure; or

*  be generated by a suitably random password generator, such as a 7  
word Diceware password.

Then embed a random password generator, such as /usr/bin/apg, and  
give the user a choice of generating a random password of whatever  
length the user wants, or simply entering whatever insecure password  
the user deems appropriate given the anticipated use of the installed  


More information about the devel mailing list