Re: FESCO request to revert password confirmation change in F22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 10 Mar 2015, at 07:00, Matěj Cepl wrote:

On 2015-03-10, 10:15 GMT, Björn Persson wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reason.

There are two possible reasons why you would say that. Either you
haven't even looked at the Ars Technica articles that have been
discussed in this thread, or else you believe that a majority of users of all sorts of web services think it's all right if all the spies and
script kiddies in the world have full access to their accounts.

I think certainly there should be some protection against
passwords like "monkey" (why monkey and not kangaroo, for
example?) or "iloveyou" (as the Pope Francis said our message
should be based on love not hate!), but when it tries to do too
much more it is getting in the way even to the people who
actually know what they are talking about. VM machine used only
for temporary compilation on the old platform just doesn't have
to have 63-random-chars password from
https://www.grc.com/passwords.htm


At the risk of complicating someone's life:

Given that pattern-based attacks make meaningful password quality checking nigh impossible, why not just drop password quality checks.

Instead, give a simple explanation that a secure password should:

* be at least xx random characters in length, utilize both lower and upper case letters, as well as numerals and special characters, and not contain any human recognizable pattern -- and that any pattern that one can easily remember is probably insecure; or

* be generated by a suitably random password generator, such as a 7 word Diceware password.

Then embed a random password generator, such as /usr/bin/apg, and give the user a choice of generating a random password of whatever length the user wants, or simply entering whatever insecure password the user deems appropriate given the anticipated use of the installed OS.

--
Mike

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux