FESCO request to revert password confirmation change in F22

Mike Pinkerton pselists at mindspring.com
Tue Mar 10 11:54:11 UTC 2015 

On 10 Mar 2015, at 07:00, Matěj Cepl wrote:

> On 2015-03-10, 10:15 GMT, Björn Persson wrote:
>>> The user surely knows better what a good password is than the
>>> software does. If the user picks a crappy password, there's  
>>> probably a good
>>> reason.
>>
>> There are two possible reasons why you would say that. Either you
>> haven't even looked at the Ars Technica articles that have been
>> discussed in this thread, or else you believe that a majority of  
>> users
>> of all sorts of web services think it's all right if all the spies  
>> and
>> script kiddies in the world have full access to their accounts.
>
> I think certainly there should be some protection against
> passwords like "monkey" (why monkey and not kangaroo, for
> example?) or "iloveyou" (as the Pope Francis said our message
> should be based on love not hate!), but when it tries to do too
> much more it is getting in the way even to the people who
> actually know what they are talking about. VM machine used only
> for temporary compilation on the old platform just doesn't have
> to have 63-random-chars password from
> https://www.grc.com/passwords.htm


At the risk of complicating someone's life:

Given that pattern-based attacks make meaningful password quality  
checking nigh impossible, why not just drop password quality checks.

Instead, give a simple explanation that a secure password should:

*  be at least xx random characters in length, utilize both lower and  
upper case letters, as well as numerals and special characters, and  
not contain any human recognizable pattern -- and that any pattern  
that one can easily remember is probably insecure; or

*  be generated by a suitably random password generator, such as a 7  
word Diceware password.

Then embed a random password generator, such as /usr/bin/apg, and  
give the user a choice of generating a random password of whatever  
length the user wants, or simply entering whatever insecure password  
the user deems appropriate given the anticipated use of the installed  
OS.

-- 
Mike

More information about the devel mailing list