On 10 Mar 2015, at 07:00, Matěj Cepl wrote:
On 2015-03-10, 10:15 GMT, Björn Persson wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's
probably a good
reason.
There are two possible reasons why you would say that. Either you
haven't even looked at the Ars Technica articles that have been
discussed in this thread, or else you believe that a majority of
users
of all sorts of web services think it's all right if all the spies
and
script kiddies in the world have full access to their accounts.
I think certainly there should be some protection against
passwords like "monkey" (why monkey and not kangaroo, for
example?) or "iloveyou" (as the Pope Francis said our message
should be based on love not hate!), but when it tries to do too
much more it is getting in the way even to the people who
actually know what they are talking about. VM machine used only
for temporary compilation on the old platform just doesn't have
to have 63-random-chars password from
https://www.grc.com/passwords.htm
At the risk of complicating someone's life:
Given that pattern-based attacks make meaningful password quality
checking nigh impossible, why not just drop password quality checks.
Instead, give a simple explanation that a secure password should:
* be at least xx random characters in length, utilize both lower and
upper case letters, as well as numerals and special characters, and
not contain any human recognizable pattern -- and that any pattern
that one can easily remember is probably insecure; or
* be generated by a suitably random password generator, such as a 7
word Diceware password.
Then embed a random password generator, such as /usr/bin/apg, and
give the user a choice of generating a random password of whatever
length the user wants, or simply entering whatever insecure password
the user deems appropriate given the anticipated use of the installed
OS.
--
Mike
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
