> On Feb 2, 2015, at 4:26 PM, Les Mikesell <lesmikesell@xxxxxxxxx> wrote: > > On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml@xxxxxxxxxxx> wrote: >>> >> Let’s flip it around: what’s your justification *for* weak passwords? >> > You don't need to write them down. The new rules are: 1. At least 8 characters. 2. Nothing that violates the pwquality rules: http://linux.die.net/man/8/pam_pwquality Are you telling me you cannot memorize a series of 8 characters that do not violate those rules? I’m the first to fight boneheaded “password security” schemes like a required change every N weeks, but this is not that. Spend a bit of time, cook up a really good password, and then use it for the next several years. That amortizes the cost of memorization to near-zero, greatly reducing the drive to write it down in an insecure place. > Or trust some 3rd party password > keeper to keep them. That doesn’t really apply here. Any password you have to type into a GUI is going to have to be something you can memorize. Password managers are for things you access *after* you are logged in. (Another gripe of mine: this recent trend toward using some “cloud” login as your OS login. Apple, Microsoft, and Google are now all doing this! This perforce requires me to weaken a password with a cloud-sized attack surface (i.e. frackin’ huge) to the point that I can memorize it. Before this change, I was using huge random passwords and 2FA. That doesn’t work any more in a world where the OS now requires my cloud password every time it wants elevated privileges.) > Whereas when 'not weak' is determined by > someone else in the middle of trying to complete something, you are > very likely to have to write it down. Presumably you have already worked out a good password, and memorized it. This change is not going to enforce uniqueness per server. (Though, if this server will be used via SSH, it might be a good idea to do that anyway. SSH keys — optionally with passphrases — are more secure than even quite a long human-memorizable password. Disable password auth and use keys.) _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos