On Thu, Feb 5, 2015 at 2:03 PM, Máirín Duffy <duffy@xxxxxxxxxx> wrote:
>
>
> On 02/05/2015 12:36 PM, Brian C. Lane wrote:
>>
>> Next to impossible? Really? I've find it easy to come up with passwords
>> that work. We even report libpwquality's reason for any failures.
>
>
> 'my name is' (good) (10 chars)
> 'bacon4eva!' (strong) (10 chars)
> 'hamncheese.' (strong) (10 chars)
> 'GoPatriots!' (strong) (11 chars)
> 'hey, you!' (good) (8 chars)
> '8crayons.' (good) (9 chars)
> 'latte2015' (good) (9 chars)
>
>
> I tried making up some passwords in Anaconda in F21, which uses the same
> library. I had a difficult time making a password rated less than good when
> I made passwords that were 10 characters with only lowercase letters and no
> spaces or special characters. Add spaces, a punctuation mark, or caps and it
> is instantly easier. I had a much harder time making a new acceptable
> password for my Twitter account.
I don't see how that's possible. Twitter has a clear guideline enabling the building of a minimum acceptable password such that I can do it in a single attempt. Anaconda doesn't define anything at all. It just complaints "too weak" but doesn't state what I need to do to fix it. Make it not weak? Duh, but that's not helpful.
I enter in a 6 character password, I'm told it's too weak and that it doesn't contain at least 7 characters. I enter in 7 characters, and I'm told merely that it's too weak. OK the minimum is apparently 7 characters yet I can't find a single 7 character combination to appease the weak rating. Is it 8? I've already spent more time creating passwords in this single build of Anaconda, than the total cumulative time I've spent creating, modifying, resetting, and using my Twitter password.
In any case, it's reasonable for online services to require minimum password quality. It's not reasonable for Fedora to do this for my devices. There is no service in this context.
> Is the concern that 10 chars is too long?
The concern is that it's not Fedora's hardware. It's my device, I get to decide what the password quality and the password are. Even proprietary products respect this long standing practice. This has the feel of Fedora usurping a kind of control over my hardware that doesn't even exist on proprietary OS's (let alone other Linux distributions).
Yes, 10 characters is too long, I think this requirement will make users mad. I'm disinclined to do any further installer testing because of this change, and the manner in which it was done.
I'm also concerned about CoC warnings and sanction on test@. This is the list were users volunteer to be abused by software, as such I think they're more tolerant. And yet this misfeature hasn't been well received at all here, overwhelmingly. I'd expect the reception in the rest of the community would be quite a bit less docile.
--
Chris Murphy
--
Chris Murphy
_______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list
