On Fri, Jan 30, 2015 at 1:13 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > Just FYI, this will likely be my last post to this thread. > > On Fri, 30 Jan 2015 12:59:12 -0700 > Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: >> User who want or need more secure passwords can always opt in without >> affect anyone else. Why is the project's installer not merely >> questioning the user's veracity and competency, but disallowing them, >> by force, from doing what they think is in their best interest? > > Because you cannot just say "This is some decision, I know whatever I > do will have good and bad tradeoffs, therefore, I will just not decide > and expose all the possible choices to the user". Thats just not > tenable. Except we do exactly that with custom partitioning on UEFI systems, by making users responsible for things they've never previously been responsible for, and the same developers defend this UI with "users are expected to know what they're doing" in that UI. And at the same time, tenable has been, we haven't had a password requirement up until now, the same as every other major distro and OS on the planet. Can anyone name another OS that has a minimum quality password enforcement by default for device login access? I can't think of any. >> > I'll have to change my throw away >> > instance test password from 'abc123' to something like 'tacosyum99' >> > Shrug. >> >> You fail to understand the can of worms opened up by this. My trust in >> Fedora is diminished because of the theatrics and indiscriminately >> shifting this burden onto all users. The arguments in favor thus far >> are demonstrably specious, so there must be some other explanation for >> why the change is being made. > > I think most people think it's not such a big deal and cannot see why > you are so stridently affected by it. Its affect on me personally is moot. I am a user advocate, and as such I trust the overwhelming majority of users to set an appropriate password for their use case, rather than this condescending baby sitting nonsense that impacts security almost nil, and impacts usability significantly and disproportionately. I think users should be educated and incentivized to make the right choices for their use case. By making this involuntary the project is absolutely saying "we do not trust the user to make this decision voluntarily, which is why have to force them into making better passwords regardless of the context and use case." When you stop trusting me. I stop trusting you. And that's a huge problem, and thus far the engineering types are looking at this with narrow vision, it's 2 more key presses. They aren't looking at this at all from the perspective of its connotation. Not even Windows, that rat trap of security problems, requires this of me. What's wrong with Fedora that I am *required* to have a stronger password here than on any of my other devices? -- Chris Murphy -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
