[CentOS] Another Fedora decision

Tue Feb 3 20:51:48 UTC 2015
Jonathan Billings <billings at negate.org>

On Tue, Feb 03, 2015 at 02:10:31PM -0600, Les Mikesell wrote:
> I'd just rather see them applying their expertise to actually making
> the code resist brute-force password attacks instead of stopping the
> install until I pick a password that I'll have to write down because
> they think it will take longer for the brute-force attack to succeed
> against their weak code.

Also, it isn't up to the *installer* to set up a system that resists
brute-force password attacks.  That's a job for the default
configuration files in OpenSSH, GDM, KDM, and any other software
product that reads the password database.  All the installer can do is
read in the plain-text password, check to make sure it passes a
minimum policy, then crypt it and put it in the shadow file.

There are certainly things that could change, like having the pam
configuration have pam_faillock on by default.  But I tend to think
that having brute-force resistance *AND* slightly better password
security should be the goal, not one to the exclusion of the other. 

-- 
Jonathan Billings <billings at negate.org>