Warren Young wyml at etr-usa.com Tue Feb 3 00:32:15 UTC 2015
Are you telling me you cannot memorize a series of 8 characters that do not violate those rules?
Keep in mind the original context isn't for production computers, it's testing Fedora. Many testers do dozens of installs per week, some do dozens per day. The password requirement is pretty annoying, I for one haven't tested it since I worked with the first build that includes the change. Why?
While ostensibly it's an 8 character minimum, pwquality is sufficiently capricious that 8 characters is frequently insufficient. I tried about a dozen times and failed, gave up, and went with an ill advised 10 character password that I forgot within 30 minutes after the installation was complete.
The problem is the decision to stop innovating ways to incentivize irrational users into producing stronger passwords voluntarily, and instead bringing out boxing gloves to make everyone do it by force. It's inherently adversarial.
Someone else made an analogy with the anti-immunization camp. The analogy has some fatal flaws, but one of the ways it works is the irrational reaction component. As it turns out if you call these people names, tell them it's safe, give them all the facts, they just become even more intractable because it's not even about that. Making it compulsory is likely to do the same thing and worse. The way to do it is to establish incentives. If you want your kid going to public schools of any grade, then immunization is a prerequisite. Of course it's your choice, ultimately. Good luck with private school. Here too what's going on is a lack of a mechanism to tie default services with a sufficiently acceptable password. e.g. a checkbox for sshd being enabled is grayed out, not even checkable, so long as the password is crap.
Or iterate upon the basic concept which is, you get something for something, bring the user along and get them to change their behavior rather than poking them in the eyeball without any respect to the use case.
Windows, OS X, iOS, Android, have much weaker password enforcement than is currently in Fedora 21 and older (and RHEL 7 and older). There's no password even required on mobile devices. I can use a 4 digit PIN to get money out of an ATM. Context, use case, and other mitigation mechanisms are relevant. And the debate is whether a stronger password requirement is really worth, e.g. having root remote login enabled by default on Fedora Server. Whereas sshd isn't enabled on Fedora Workstation.
Over on Windows and OS X Servers (try not to laugh, stay on topic!), the expectation is you bring over a USB keyboard, or connect with serial or ethernet console. You opt into remote services explicitly.
I’m the first to fight boneheaded “password security” schemes like a
required change every N weeks, but this is not that.
Actually I put it in the category of rearranging the deck chairs. It's a debate about very weak vs weak passwords. And I think this will just cause some people to consider their less crap password to now be fair or strong. If we really want strong passwords, we're talking in the vicinity of a compulsory 20+ character password (or passphrase rather). No need to tell me how you feel about that, I'm pretty confident I can predict the response.
(Another gripe of mine: this recent trend toward using some “cloud” login as your OS login. Apple, Microsoft, and Google are now all doing this! )
It's a good gripe, I don't like it either. However at least Apple and Microsoft have direct paths to work around this seeming requirement. I don't know about ChromeBooks, but certainly on my Android (actually cyanogen) phone I don't have to use a password at all for the phone itself, just services.
(Though, if this server will be used via SSH, it might be a good idea to do that anyway. SSH keys — optionally with passphrases — are more secure than even quite a long human-memorizable password. Disable password auth and use keys.)
Yes and it's under discussion to make keys compulsory by default rather than passwords for at least root remote logins. Hard to setup compared to a password. But once that's done it's actually easier to use.