On Tue, Feb 03, 2015 at 02:10:31PM -0600, Les Mikesell wrote: > I'd just rather see them applying their expertise to actually making > the code resist brute-force password attacks instead of stopping the > install until I pick a password that I'll have to write down because > they think it will take longer for the brute-force attack to succeed > against their weak code. ... The installer has MANY MANY defaults that are decided to produce a good starting point. Setting a root password that meets an extremely low bar in terms of security was one of those decisions. Honestly, of all the faults and foibles in the Red Hat/CentOS installer, I'm amazed that someone is complaining about that. "Oh No! They released a product that's *incrementally* more secure than before! Heavens Above! (faints)" If you honestly are so unable to remember a password for longer than 20 minutes, then I suggest using a kickstart to set the root password with a crypted hash. Or have a %post script replace whatever you typed in the password prompt with your insecure password. This is one of those decisions many software products have to make: Weighing the general security gained by requiring somewhat more secure passwords against the inconvenience of having to remember a somewhat more secure password. Since it's possible to get around the requirement in multiple ways, it makes sense to lean toward the more secure option. Make it inconvenient to be less secure. -- Jonathan Billings <billings at negate.org>