Anaconda 22.17+ enforces "good" passwords
Hubert Kario
hkario at redhat.com
Thu Feb 26 11:51:49 UTC 2015
On Wednesday 25 February 2015 18:55:29 Chris Murphy wrote:
> On Wed, Feb 25, 2015 at 10:42 AM, Stephen John Smoogen <smooge at gmail.com>
wrote:
> > However unless we can agree to some sort of measurement system then every
> > thing we 'impose' is going to be no better than throwing salt over our
> > shoulder and turning 3 times windershin.
>
> Feynman's Freshman Class problem... I don't think this is well enough
> understood to put this in front of users. And by this, I mean,
> concepts like entropy or even a score.
That's why I proposed to also show a minimum entropy/score needed.
If I provide something that gets score of 10 while the requirement is for 20,
then I know that I need something much more complex.
on the other hand, if I get 19 and the requirement is for 20, I know I need
just simple modification to push it over the threshold.
Users already are rather familiar with password quality meters.
But the minimum entropy *depends directly* on rate limiting and password
ageing settings.
> It also doesn't actively give advice in advance, it only disqualifies
> (or admonishes) after the fact, so it's negative (re)enforcement,
> rather than being positive. And I can't agree this is the right
> direction to go in.
What I had in mind, was that the password evaluation (and example passwords)
is done after the user stops writing (0.5s of inactivity?) or moves to the re-
entry field. So it's during the act, not after.
It's also rather hard to tell the user he can't have the password he or she
likes before knowing it...
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150226/7ad19d58/attachment.sig>
More information about the security
mailing list