On Wednesday 25 February 2015 18:55:29 Chris Murphy wrote: > On Wed, Feb 25, 2015 at 10:42 AM, Stephen John Smoogen <smooge@xxxxxxxxx> wrote: > > However unless we can agree to some sort of measurement system then every > > thing we 'impose' is going to be no better than throwing salt over our > > shoulder and turning 3 times windershin. > > Feynman's Freshman Class problem... I don't think this is well enough > understood to put this in front of users. And by this, I mean, > concepts like entropy or even a score. That's why I proposed to also show a minimum entropy/score needed. If I provide something that gets score of 10 while the requirement is for 20, then I know that I need something much more complex. on the other hand, if I get 19 and the requirement is for 20, I know I need just simple modification to push it over the threshold. Users already are rather familiar with password quality meters. But the minimum entropy *depends directly* on rate limiting and password ageing settings. > It also doesn't actively give advice in advance, it only disqualifies > (or admonishes) after the fact, so it's negative (re)enforcement, > rather than being positive. And I can't agree this is the right > direction to go in. What I had in mind, was that the password evaluation (and example passwords) is done after the user stops writing (0.5s of inactivity?) or moves to the re- entry field. So it's during the act, not after. It's also rather hard to tell the user he can't have the password he or she likes before knowing it... -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
