On Jul 28, 2015, at 7:05 PM, Chris Murphy lists@colorremedies.com wrote:
no OS does this right now
Chrome OS does, because your OS password is your Google password. Therefore, Chrome OS’s password quality minima are Google’s minima, which are similar to libpwquality’s defaults:
http://passrequirements.com/passwordrequirements/google
OS X and iOS offer the option of using your Apple ID as your OS login password, which has similar requirements to Google's:
https://support.apple.com/en-us/HT201303
Windows has also been doing this since Windows 8. Microsoft's rules are stronger than either Google’s or Apple’s:
http://www.liveside.net/2012/07/23/microsoft-account-to-enforce-stricter-pas...
Android, Apple, and Microsoft currently allow you to use non-Internet based authentication, but defaults matter.
You’ll notice that this list is mobile-heavy. These rules exist because these passwords are subject to public pounding over the Internet…just like a great many CentOS boxes.
I still think informed consent is the way this will probably end up working - meaning the user is informed their password is common (dictionary word, derivative, or a top 10,000 most common password) should not be used but give them a way to use it anyway.
We’ve had that at least since EL6 came out, about 5 years ago. (Probably before that in the Fedora line.)
Apparently those in a position to decide these things see that this has not caused a sufficient shift in the quality of passwords used on Red Hattish boxes, evidenced by lack of a sharp drop in botnet members.
I would never accept such a product that required such login rules.
Yes, well, we’ll see what you’re using in another 2-ish years when CentOS 8 ships. Money, mouth, and all that.