Password security

Robert Moskowitz rgm at htt-consult.com
Tue Mar 3 13:14:26 UTC 2015 

On 03/02/2015 05:16 PM, Mike Chambers wrote:
> Hey all,
>
> Obviously when installing F22 now, you have that new password security
> level to make you jump through hoops to set a password during install.
> I understand the reasoning for "secure" passwords, but there is one
> catch.

What will happen is that a single (or small subset) of passwords will be 
used for root during install (Fedora_Project works fine, you don't have 
to add the 123 at the end).  User ID setup will be done with admin 
rights and no password required.  Then after install is complete, passwd 
would be used to set up a 'regular' password for root and the user.

Meanwhile the system is on the net with a known root password and maybe 
a knowable user ID for N minutes with SSH up and running and open.  What 
is the exposure.

Besides SSH what other attack vector exists until the passwords are reset?

>
> *I* am the admin at my house hold, and *I* am the admin at my company
> (scenario speaking), and *I* set how secure I want passwords set at
> those locations, not *you*.  I will determine how tough I want my
> systems, I don't need any hand holding, nor help.
>
> And in reality, we don't have a lot of kids, grandmas, grandpas,
> careless operators, typical window users using these systems as normal
> everyday workstations like window users, so they aren't going to
> experience the same issues.
>
> Linux is not like windows, it doesn't have the same type system, so the
> same type things won't hurt it.  Most stuff that will get hurt, stolen
> from, hacked, whatever is online stuff such as banks, credit cards
> stuff, etc..
>
> In other words, give us the tools to help get people in the right
> direction, but don't try to turn the wrench as well.  That's up to use
> to get it how tight we want.  Whether it falls apart or not, is on us.
>
>
> Besides that, I changed that crap back to what I wanted in the first
> place after the install.  So your security was breached off the bat.
> Please get rid of it and set it back to like before.
>
> Thanks and have a good day,
>
>

More information about the test mailing list