Heads up - Anaconda 22.17 will enforce 'good' passwords

Chris Murphy lists at colorremedies.com
Fri Jan 30 21:49:56 UTC 2015 

On Fri, Jan 30, 2015 at 1:21 PM, Adam Williamson
<adamwill at fedoraproject.org> wrote:
> On Fri, 2015-01-30 at 12:59 -0700, Chris Murphy wrote:
>> What's the actual, real world,
>> non-imaginary impetus behind the change?
>
> It's exactly what all the list posts I pointed you to say it is.

Please go find quotes because I just went through them all and I found:

"Better security is always a plus."

"Instead I propose that we increase our minimum password..."

"In principle I don't disagree with it; But IMO it can not be a replacement
to stronger defaults."

And that's it. No actual reasons, let alone any data to back it up.
And all three of those statements have flaws which I've already
addressed.

> I
> don't know how to stop the conspiracy virus which causes people to
> leap to the conclusion that there's some shadowy secret motive behind
> every change they don't like, but there *isn't*.

I don't know how to stop your conspiracy virus from leaping to the
conclusion I was thinking there's a secret motive. I'm actually,
literally asking the question, what is the *real world* impetus behind
the change? That is not rhetorical. I want facts. I want data. Not
hand waivy opinions like "better security is a plus" I want to know
exactly what the attack vector is being mitigated here and how common
it is. Otherwise it is exactly as I've stated, it's a solution in
search of a problem, a problem that by the way the $18 billion target
on its back doesn't seem to think is such a big problem seeing as its
devices without passwords are regularly used on public encrypted wifi
and the world is not ending.

What conspiracy are we avoiding with this password change? Where's the
threat? Why is voluntary compliance inadequate? Have we done our
absolute best to achieve voluntary compliance with stronger passwords?
Why do we distrust user's ability to choose their own passwords for
their own use case?

I just don't see any consideration here except specious statements
like better security is always a plus. That was the summary extent of
the entire decision making process.

-- 
Chris Murphy

More information about the test mailing list