Björn Persson wrote: > Kevin Kofler wrote: > > The user surely knows better what a good password is than the > > software does. If the user picks a crappy password, there's probably a good > > reason. > > There are two possible reasons why you would say that. Either you > haven't even looked at the Ars Technica articles that have been > discussed in this thread, or else you believe that a majority of users > of all sorts of web services think it's all right if all the spies and > script kiddies in the world have full access to their accounts.
The replies to that message make me wonder if perhaps some people misunderstood what I meant. I haven't clearly expressed any opinions about enforced requirements on passphrases, and some people may have made assumptions about my opinions. In the hope of clearing up any misunderstandings I'll make these statements: · The fact that we don't have a good algorithm for calculating passphrase quality is a good argument against trying to enforce a minimum passphrase quality. · The fact that use cases exist where there is little need for access control – for example temporary and isolated test installations – is a valid argument against trying to enforce a minimum passphrase quality. · The assertion that users in general know what a good password is is not a valid argument, because it's so obviously false that it's plain ridiculous. · A policy that would permit "Tr0ub4dor&3" because it contains upper case, lower case, digits and symbols, but forbid "correct horse battery staple" because it's all lower case, would be counterproductive and a terrible mistake. Björn Persson
pgprS4myxtORW.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
