[CentOS] Another Fedora decision
Warren Young
wyml at etr-usa.com
Tue Feb 3 00:32:15 UTC 2015
> On Feb 2, 2015, at 4:26 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
>
> On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote:
>>>
>> Let’s flip it around: what’s your justification *for* weak passwords?
>>
> You don't need to write them down.
The new rules are:
1. At least 8 characters.
2. Nothing that violates the pwquality rules:
http://linux.die.net/man/8/pam_pwquality
Are you telling me you cannot memorize a series of 8 characters that do not violate those rules?
I’m the first to fight boneheaded “password security” schemes like a required change every N weeks, but this is not that. Spend a bit of time, cook up a really good password, and then use it for the next several years. That amortizes the cost of memorization to near-zero, greatly reducing the drive to write it down in an insecure place.
> Or trust some 3rd party password
> keeper to keep them.
That doesn’t really apply here. Any password you have to type into a GUI is going to have to be something you can memorize. Password managers are for things you access *after* you are logged in.
(Another gripe of mine: this recent trend toward using some “cloud” login as your OS login. Apple, Microsoft, and Google are now all doing this! This perforce requires me to weaken a password with a cloud-sized attack surface (i.e. frackin’ huge) to the point that I can memorize it. Before this change, I was using huge random passwords and 2FA. That doesn’t work any more in a world where the OS now requires my cloud password every time it wants elevated privileges.)
> Whereas when 'not weak' is determined by
> someone else in the middle of trying to complete something, you are
> very likely to have to write it down.
Presumably you have already worked out a good password, and memorized it.
This change is not going to enforce uniqueness per server.
(Though, if this server will be used via SSH, it might be a good idea to do that anyway. SSH keys — optionally with passphrases — are more secure than even quite a long human-memorizable password. Disable password auth and use keys.)
More information about the CentOS
mailing list