FESCO request to revert password confirmation change in F22

[Björn Persson]

Björn Persson wrote:
> Kevin Kofler wrote:
> > The user surely knows better what a good password is than the 
> > software does. If the user picks a crappy password, there's probably a good 
> > reason.
> 
> There are two possible reasons why you would say that. Either you
> haven't even looked at the Ars Technica articles that have been
> discussed in this thread, or else you believe that a majority of users
> of all sorts of web services think it's all right if all the spies and
> script kiddies in the world have full access to their accounts.

The replies to that message make me wonder if perhaps some people
misunderstood what I meant. I haven't clearly expressed any opinions
about enforced requirements on passphrases, and some people may have
made assumptions about my opinions. In the hope of clearing up any
misunderstandings I'll make these statements:

· The fact that we don't have a good algorithm for calculating
passphrase quality is a good argument against trying to enforce a
minimum passphrase quality.

· The fact that use cases exist where there is little need for access
control – for example temporary and isolated test installations – is a
valid argument against trying to enforce a minimum passphrase quality.

· The assertion that users in general know what a good password is is
not a valid argument, because it's so obviously false that it's plain
ridiculous.

· A policy that would permit "Tr0ub4dor&3" because it contains upper
case, lower case, digits and symbols, but forbid "correct horse battery
staple" because it's all lower case, would be counterproductive and a
terrible mistake.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150311/52196338/attachment.sig>