On Tue, Feb 03, 2015 at 02:10:31PM -0600, Les Mikesell wrote:
> I'd just rather see them applying their expertise to actually making
> the code resist brute-force password attacks instead of stopping the
> install until I pick a password that I'll have to write down because
> they think it will take longer for the brute-force attack to succeed
> against their weak code.
Also, it isn't up to the *installer* to set up a system that resists
brute-force password attacks. That's a job for the default
configuration files in OpenSSH, GDM, KDM, and any other software
product that reads the password database. All the installer can do is
read in the plain-text password, check to make sure it passes a
minimum policy, then crypt it and put it in the shadow file.
There are certainly things that could change, like having the pam
configuration have pam_faillock on by default. But I tend to think
that having brute-force resistance *AND* slightly better password
security should be the goal, not one to the exclusion of the other.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
