On Tue, Jul 28, 2015 at 5:46 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 28, 2015, at 2:46 PM, Chris Murphy <lists at colorremedies.com> wrote: >> >> My dad will absolutely stop using his iPad if it ever >> requires him to use anything more than 4 numeric digits for his >> password. The iPad never leaves the house. > > iPads can’t be coopted into a botnet. The rules for iPad passwords must necessarily be different than for CentOS. Windows has a lower minimum acceptable password quality than CentOS. OS X has a lower minimum still than Windows - as in, a single number is accepted. For an admin. With sshd enabled. And yet the Mac world does not burn. That doesn't mean single digit passwords are good, or should be recommended. It just means Apple doesn't care to fight that battle, or dump requirements onto the user. Instead they dump requirements onto the OS and onto application developers with better defaults: sshd is disabled, application binaries must be signed, App Store applications run in something like a sandbox, etc. So they are building up defenses elsewhere, rather than shifting the responsibility onto the user in the form of weird and confusing password requirements and the commensurate UI. > >> the Mac has SSH PKA required. > > True, but more on-point here is that OS X ships with sshd disabled by default. You have to dig into the pref panes and tick an obscurely-named checkbox to enable it. Two points of clarity: 1. the quoted text above is a configuration change I made; OS X does not require PKA out of the box. 2. Fedora Workstation has sshd disabled by default, and you have to dig into the pref panes to enable an identically named service "Remote Login"; although enabling it takes solidly three more clicks on GNOME than OS X. So in some strange sense it's less likely to be inadvertently enabled on GNOME. >> Their online services are another >> matter, those I've made very clear they will be strong or they don't >> get to play. > > The Apple ID password rules are a fair bit stronger than the libpwquality rules we’ve been discussing here, and have been so for some time: > > https://support.apple.com/en-us/HT201303 > > Given that recent OS X releases want to use your Apple ID as the OS login credentials, that effectively makes these the OS password quality rules, too. No that's not true. The user is encouraged to authenticate this way, they are not required to, it's very easy to bypass. I don't use it. Windows has a similar behavior, but rather strongly implies it's the only way to setup a user account (via an Outlook account) but that too can be bypassed. What is currently in Anaconda master branch, which is how Fedora Rawhide has behaved for ~ 6 months, is you get a show stopper installation if you don't meet the minimum password requirement. And that requirement is not stated or explained. It's basically "it's not good enough, try again". > Fedora is late to the party, and CentOS consequently even later. Where Fedora and CentOS are late to the party are improving defenses that don't require the user to do anything differently. -- Chris Murphy