[CentOS] Fedora change that will probably affect RHEL

Wed Jul 29 01:48:02 UTC 2015
Warren Young <wyml at etr-usa.com>

On Jul 28, 2015, at 7:05 PM, Chris Murphy <lists at colorremedies.com> wrote:
> 
> no OS does this right now

Chrome OS does, because your OS password is your Google password.  Therefore, Chrome OS’s password quality minima are Google’s minima, which are similar to libpwquality’s defaults:

  http://passrequirements.com/passwordrequirements/google

OS X and iOS offer the option of using your Apple ID as your OS login password, which has similar requirements to Google's:

  https://support.apple.com/en-us/HT201303

Windows has also been doing this since Windows 8.  Microsoft's rules are stronger than either Google’s or Apple’s:

  http://www.liveside.net/2012/07/23/microsoft-account-to-enforce-stricter-password-controls/

Android, Apple, and Microsoft currently allow you to use non-Internet based authentication, but defaults matter.

You’ll notice that this list is mobile-heavy.  These rules exist because these passwords are subject to public pounding over the Internet…just like a great many CentOS boxes.

> I still think informed consent is the way this will probably end up
> working - meaning the user is informed their password is common
> (dictionary word, derivative, or a top 10,000 most common password)
> should not be used but give them a way to use it anyway.

We’ve had that at least since EL6 came out, about 5 years ago.  (Probably before that in the Fedora line.)

Apparently those in a position to decide these things see that this has not caused a sufficient shift in the quality of passwords used on Red Hattish boxes, evidenced by lack of a sharp drop in botnet members.

> I would never accept such a
> product that required such login rules.

Yes, well, we’ll see what you’re using in another 2-ish years when CentOS 8 ships.  Money, mouth, and all that.