Just FYI, this will likely be my last post to this thread. On Fri, 30 Jan 2015 12:59:12 -0700 Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > ATMs have rate and retry limits, among other mechanisms, to permit a 4 > digit numeric PIN being adequately secure. Does Fedora have limits on > rate and retries? If not, why not? I think there are in ssh. I don't know the details. > User who want or need more secure passwords can always opt in without > affect anyone else. Why is the project's installer not merely > questioning the user's veracity and competency, but disallowing them, > by force, from doing what they think is in their best interest? Because you cannot just say "This is some decision, I know whatever I do will have good and bad tradeoffs, therefore, I will just not decide and expose all the possible choices to the user". Thats just not tenable. > What is the plan should no one care to harden Fedora security in other > ways? 16 character passwords are next? The diceware minimum > recommended passphrase is made of 5 words. If the project cares so > much about other people's minimum acceptable security that it's > willing to enforce this under duress, why not make it actually > meaningful? Oh, because a 20 character passphrase being compulsory > might actually make too many users angry for suggesting their > passwords are shit. I don't know that there's any plans to go higher. The Fedora account system requires 9 (if mixed with different case and puncuation). > > > apg (along with many other things) can generate you a list of > > passwords and 'pwscore' can make sure they will pass the same tests > > anaconda would give them. > > > > IMHO, this isn't so big a deal. > > And apg and pwscore are going to be integrated into the Anaconda GUI? I doubt it? > Or will the GUI simply be an enforcer while providing zero assistance > in selecting an appropriate password? What feedback will the user be > given so they understand what exact change in behavior they need to > make? I don't know. Perhaps you could provide some sensible RFE on what feedback it should/could give? > Have you actually played with pwscore? Yes. > # pwscore root > shrkobtk > 1 > # pwscore root > tableprison > 41 > # pwscore root > inforats > Password quality check failed: > The password fails the dictionary check - it is based on a > dictionary word > > This defies belief. Random scores lowest. Two dictionary words scores > average. A dictionary word fragment and a plural noun is disqualified. > Ridiculous. Feel free to file bugs on it. I suspect the random one is due to it being short as well as all lower case and containing no numbers. > > I'll have to change my throw away > > instance test password from 'abc123' to something like 'tacosyum99' > > Shrug. > > You fail to understand the can of worms opened up by this. My trust in > Fedora is diminished because of the theatrics and indiscriminately > shifting this burden onto all users. The arguments in favor thus far > are demonstrably specious, so there must be some other explanation for > why the change is being made. I think most people think it's not such a big deal and cannot see why you are so stridently affected by it. kevin
Attachment:
pgplzr61dBXQ3.pgp
Description: OpenPGP digital signature
-- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
