Another Fedora decision

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Warren Young wyml at etr-usa.com Tue Feb 3 00:32:15 UTC 2015

> Are you telling me you cannot memorize a series of 8 characters that do
> not violate those rules?


Keep in mind the original context isn't for production computers, it's
testing Fedora. Many testers do dozens of installs per week, some do dozens
per day. The password requirement is pretty annoying, I for one haven't
tested it since I worked with the first build that includes the change. Why?

While ostensibly it's an 8 character minimum, pwquality is sufficiently
capricious that 8 characters is frequently insufficient. I tried about a
dozen times and failed, gave up, and went with an ill advised 10 character
password that I forgot within 30 minutes after the installation was
complete.

The problem is the decision to stop innovating ways to incentivize
irrational users into producing stronger passwords voluntarily, and instead
bringing out boxing gloves to make everyone do it by force. It's inherently
adversarial.

Someone else made an analogy with the anti-immunization camp. The analogy
has some fatal flaws, but one of the ways it works is the irrational
reaction component. As it turns out if you call these people names, tell
them it's safe, give them all the facts, they just become even more
intractable because it's not even about that. Making it compulsory is
likely to do the same thing and worse. The way to do it is to establish
incentives. If you want your kid going to public schools of any grade, then
immunization is a prerequisite. Of course it's your choice, ultimately.
Good luck with private school. Here too what's going on is a lack of a
mechanism to tie default services with a sufficiently acceptable password.
e.g. a checkbox for sshd being enabled is grayed out, not even checkable,
so long as the password is crap.

Or iterate upon the basic concept which is, you get something for
something, bring the user along and get them to change their behavior
rather than poking them in the eyeball without any respect to the use case.

Windows, OS X, iOS, Android, have much weaker password enforcement than is
currently in Fedora 21 and older (and RHEL 7 and older). There's no
password even required on mobile devices. I can use a 4 digit PIN to get
money out of an ATM. Context, use case, and other mitigation mechanisms are
relevant. And the debate is whether a stronger password requirement is
really worth, e.g. having root remote login enabled by default on Fedora
Server. Whereas sshd isn't enabled on Fedora Workstation.

Over on Windows and OS X Servers (try not to laugh, stay on topic!), the
expectation is you bring over a USB keyboard, or connect with serial or
ethernet console. You opt into remote services explicitly.


I’m the first to fight boneheaded “password security” schemes like a
> required change every N weeks, but this is not that.


Actually I put it in the category of rearranging the deck chairs. It's a
debate about very weak vs weak passwords. And I think this will just cause
some people to consider their less crap password to now be fair or strong.
If we really want strong passwords, we're talking in the vicinity of a
compulsory 20+ character password (or passphrase rather). No need to tell
me how you feel about that, I'm pretty confident I can predict the response.


> (Another gripe of mine: this recent trend toward using some “cloud” login
> as your OS login.  Apple, Microsoft, and Google are now all doing this! )


It's a good gripe, I don't like it either. However at least Apple and
Microsoft have direct paths to work around this seeming requirement. I
don't know about ChromeBooks, but certainly on my Android (actually
cyanogen) phone I don't have to use a password at all for the phone itself,
just services.


> (Though, if this server will be used via SSH, it might be a good idea to
> do that anyway.  SSH keys — optionally with passphrases — are more secure
> than even quite a long human-memorizable password.  Disable password auth
> and use keys.)


Yes and it's under discussion to make keys compulsory by default rather
than passwords for at least root remote logins. Hard to setup compared to a
password. But once that's done it's actually easier to use.


-- 
Chris Murphy
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos





[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux