On Fri, 17 Feb 2017, Alberto Bursi wrote:
On 02/17/2017 12:26 PM, John Crispin wrote:
On 17/02/2017 12:16, Dan Lüdtke wrote:
Hi David,
thanks for the fast response!
On 17 Feb 2017, at 11:54, David Lang <da...@lang.hm> wrote:
But deciding that you know better than the admin of the system is not.
Not that I am a fan of telling admins what to do, but do you see any chance
that we can get an consistent and enforceable approach to *minimum*
requirements, e.g. minimum password length? Maybe by using a configuration
variable? Havon only the GUI enforce minimum password length and not the CLI is
rather inconsistent (some may say useless or even confusing).
you don't have any idea what the security environment is for the system, or why
the admin is selecting that password.
It's not just a busybox thing to allow the root user to select a password that
is shorter than 'recommended', that's normal behavior on *nix systems and has
been for decades, even as the 'recommendations' have changed.
I rather see this as a "LEDE" system not a standard *nix system, even though it is based
on Linux and runs a Linux kernel. The question is, is this a more a "product" or just
another Linux system?
"has been for decades" is not a good argument. The others are. But that one is
just not.
Cheers,
Dan
i agree with david lang, i regularly use "a" as a passwd on test units.
John
I don't use a password in test units at all and there is no issue (shows
the warning on login but not much else), so I think the "I need short
passords for testing" is a weak argument here.
That's just an example of an environment where the security policy makes short
passwords accpetable.
And having no password is a much bigger change than having a short password when
you are testing things. It makes a lot of sense to be excercising the password
routine when doing tests, and very little difference if you are excercising it
with a short password or a long one.
Why are you saying that short passwords are bad? Is it just because you have
been told that they are?
Remember, a short password is only a problem if attackers have the ability to
make brute force attacks on the system. If attackers can't get at the interface,
or if there are other strategies in place to defeat brute force attacks, a short
password can be acceptable.
And if the resource you are giving access to is not very important, but you
can't easily do a blank password, or want to stop/slow unknown automated access,
but want to have it accessable to any human, a simple password can be a great
choice.
David Lang
(17 years in providing network security for Banks)
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
