> On Feb 2, 2015, at 4:26 PM, Les Mikesell <[email protected]> wrote:
>
> On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <[email protected]> wrote:
>>>
>> Let’s flip it around: what’s your justification *for* weak passwords?
>>
> You don't need to write them down.
The new rules are:
1. At least 8 characters.
2. Nothing that violates the pwquality rules:
http://linux.die.net/man/8/pam_pwquality
Are you telling me you cannot memorize a series of 8 characters that do not
violate those rules?
I’m the first to fight boneheaded “password security” schemes like a required
change every N weeks, but this is not that. Spend a bit of time, cook up a
really good password, and then use it for the next several years. That
amortizes the cost of memorization to near-zero, greatly reducing the drive to
write it down in an insecure place.
> Or trust some 3rd party password
> keeper to keep them.
That doesn’t really apply here. Any password you have to type into a GUI is
going to have to be something you can memorize. Password managers are for
things you access *after* you are logged in.
(Another gripe of mine: this recent trend toward using some “cloud” login as
your OS login. Apple, Microsoft, and Google are now all doing this! This
perforce requires me to weaken a password with a cloud-sized attack surface
(i.e. frackin’ huge) to the point that I can memorize it. Before this change,
I was using huge random passwords and 2FA. That doesn’t work any more in a
world where the OS now requires my cloud password every time it wants elevated
privileges.)
> Whereas when 'not weak' is determined by
> someone else in the middle of trying to complete something, you are
> very likely to have to write it down.
Presumably you have already worked out a good password, and memorized it.
This change is not going to enforce uniqueness per server.
(Though, if this server will be used via SSH, it might be a good idea to do
that anyway. SSH keys — optionally with passphrases — are more secure than
even quite a long human-memorizable password. Disable password auth and use
keys.)
_______________________________________________
CentOS mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos
