On Mon, Jul 27, 2015 at 11:19:41AM -0600, Chris Murphy wrote: > > I guess... I don't feel personally responsible for what happens to the > > Mac users? > Why do you feel responsible for the behavior of Fedora users? That's not what I said. > > I've been a sysadmin for long enough in environments which burned to > > the ground over this. I don't think it's that hard to be _minimally > > responsible_. > Are you saying that best practices were followed in all other ways in > those environments, except for password quality? > Why is password quality being targeted rather than the number of ssh > attempts being set to e.g. 3 per minute, by default? And does this > sufficiently mitigate the concern, and if not, why not? Reducing number of possible attempts is certainly part of the same calculation; basically, we want an appropriate level of password entropy for the permitted rate of attempts and the password lifetime. It doesn't need to be — and shouldn't be — overkill, but I don't think it's responsibile of us to set the defaults too low, either. > Whatever minimum quality is arrived at for Fedora 23 will likely be > obsolete for Fedora 24, certainly obsolete for Fedora 25. So at least > it's annual discussions to raise the minimum password quality. That's > how fast the minimum is escalating, once you choose to become > responsible for the behavior of others' login passwords. I don't think this is necessarily true. > > So no, I don't think it's easy. I think it's easier to choose things > that don't require much discussion because they have next to no impact > on legitimate usage, even if they take more work to build. At least > the work goes into building real defenses rather than arguing about > fake ones. And I think password quality for logins it's completely > fake - it's a distraction. I agree that if we increase other defenses this one becomes less of a hole on its own. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
