On Jul 28, 2015, at 7:05 PM, Chris Murphy <lists at colorremedies.com> wrote: > > no OS does this right now Chrome OS does, because your OS password is your Google password. Therefore, Chrome OS’s password quality minima are Google’s minima, which are similar to libpwquality’s defaults: http://passrequirements.com/passwordrequirements/google OS X and iOS offer the option of using your Apple ID as your OS login password, which has similar requirements to Google's: https://support.apple.com/en-us/HT201303 Windows has also been doing this since Windows 8. Microsoft's rules are stronger than either Google’s or Apple’s: http://www.liveside.net/2012/07/23/microsoft-account-to-enforce-stricter-password-controls/ Android, Apple, and Microsoft currently allow you to use non-Internet based authentication, but defaults matter. You’ll notice that this list is mobile-heavy. These rules exist because these passwords are subject to public pounding over the Internet…just like a great many CentOS boxes. > I still think informed consent is the way this will probably end up > working - meaning the user is informed their password is common > (dictionary word, derivative, or a top 10,000 most common password) > should not be used but give them a way to use it anyway. We’ve had that at least since EL6 came out, about 5 years ago. (Probably before that in the Fedora line.) Apparently those in a position to decide these things see that this has not caused a sufficient shift in the quality of passwords used on Red Hattish boxes, evidenced by lack of a sharp drop in botnet members. > I would never accept such a > product that required such login rules. Yes, well, we’ll see what you’re using in another 2-ish years when CentOS 8 ships. Money, mouth, and all that.