FESCO request to revert password confirmation change in F22
Bjorn at xn--rombobjrn-67a.se
Tue Mar 10 23:38:58 UTC 2015
Björn Persson wrote:
> Kevin Kofler wrote:
> > The user surely knows better what a good password is than the
> > software does. If the user picks a crappy password, there's probably a good
> > reason.
> There are two possible reasons why you would say that. Either you
> haven't even looked at the Ars Technica articles that have been
> discussed in this thread, or else you believe that a majority of users
> of all sorts of web services think it's all right if all the spies and
> script kiddies in the world have full access to their accounts.
The replies to that message make me wonder if perhaps some people
misunderstood what I meant. I haven't clearly expressed any opinions
about enforced requirements on passphrases, and some people may have
made assumptions about my opinions. In the hope of clearing up any
misunderstandings I'll make these statements:
· The fact that we don't have a good algorithm for calculating
passphrase quality is a good argument against trying to enforce a
minimum passphrase quality.
· The fact that use cases exist where there is little need for access
control – for example temporary and isolated test installations – is a
valid argument against trying to enforce a minimum passphrase quality.
· The assertion that users in general know what a good password is is
not a valid argument, because it's so obviously false that it's plain
· A policy that would permit "Tr0ub4dor&3" because it contains upper
case, lower case, digits and symbols, but forbid "correct horse battery
staple" because it's all lower case, would be counterproductive and a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signatur
More information about the devel