Hi, At the last WG meeting [1] we discussed the password strength issue. We agreed on four main points: 1) Fedora Workstation will ship a custom .conf file in /etc/security/pwquality.conf.d, which is now possible in F23 [2]. 2) gnome-initial-setup will be modified to prevent the user from setting a password that would be rejected by libpwquality. 3) We need to test a reasonable set of passwords we'd want to succeed, to make sure the settings we chose in (1) are correct. 4) Our requirements for local password strength will allow passwords that would be much too weak were remote access via SSH to be enabled. We should have some user interaction when enabling SSH in the Sharing panel to force the user to pick a much stronger password. Note: point (1) allows corporate deployments to set their own password polices, which will be respected by GNOME, to meet their own security needs, by modifying /etc/security/pwquality.conf (which overrides the settings in /etc/security/pwquality.conf.d). Point (4) above sets the goal of setting stricter password requirements when remote access is enabled. Remote access is disabled by default and will remain disabled forever for most Workstation users, so it's not appropriate for that case to dictate our default password requirements. This means only physical adversaries are interesting to consider. We haven't yet discussed what is the reasonable set of passwords we'd want to succeed. I propose the following starting point for this discussion, from [2]: "In Fedora Workstation, we expect passwords to be used to provide good security against nontechnical human beings with physical access to the computer, physically typing away at the keyboard. By default, they aren't intended to protect against sophisticated adversaries. We therefore want to allow users to set much weaker passwords than are currently permitted by libpwquality, since longer passwords don't provide any practical benefit to most of our users." You might not worry about people breaking into your house to steal your desktop computer, but we _should_ be concerned about laptops. But to protect against a sophisticated physical adversary, disk encryption is required and the local password is not very interesting. We still need more effort to define what should be acceptable passwords. One possibility: "Examples of acceptable passwords include 'berlin,' 'wombat,' and 'butter.' Any of these would work great at keeping out a human typing on the keyboard." This implies that we disable pwquality's use of cracklib in the pwquality configuration file, and reduce the minimum acceptable characters down as far as pwquality allows (6, I think). Keep in mind that we've established that pwquality is not very good at rating password strength. [1] http://meetbot.fedoraproject.org/fedora-meeting/2015-07 -20/workstation.2015-07-20-13.00.log.html/ [2] https://bugzilla.redhat.com/show_bug.cgi?id=1241310 -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
