On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote:>> > Let?s flip it around: what?s your justification *for* weak passwords? >You don't need to write them down. Or trust some 3rd party password keeper to keep them. Whereas when 'not weak' is determined by someone else in the middle of trying to complete something, you are very likely to have to write it down. -- Les Mikesell lesmikesell at gmail.com
On Mon, February 2, 2015 5:26 pm, Les Mikesell wrote:> On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote: >>> >> Let???s flip it around: what???s your justification *for* weak >> passwords? >> > You don't need to write them down. Or trust some 3rd party password > keeper to keep them. Whereas when 'not weak' is determined by > someone else in the middle of trying to complete something, you are > very likely to have to write it down. >Whereas I agree with you... Well, I tell my users when they set password after I created account for them: the most important is that you can memorize and type your password. I myself, however use rather strong password (knocking on wood), and was never bugged by "weak password" warning. Being sysadmin, and "paranoia" is in sysadmin's job description, I tend to have all passwords different, neither of my regular user, or root passwords ideally should never repeat anywhere, even on different machines I administer. So I imminently am using encrypted password storage. These days it is keepassx. Just my $0.02 Valeri PS I don't like though policies invented by bureaucrats having no technical knowledge serving only to cover their backsides, like in National Laboratories they require one to change password every 6 Months, and password should never be anything you used in the past. This doesn't serve security, and is counter-productive. This policy for me indicates that they declare explicitly that they maintain security of their systems not too well, as a results of which your password likely can get compromised... ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Mon, Feb 2, 2015 at 5:45 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > On Mon, February 2, 2015 5:26 pm, Les Mikesell wrote: >> On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote: >>>> >>> Let???s flip it around: what???s your justification *for* weak >>> passwords? >>> >> You don't need to write them down. Or trust some 3rd party password >> keeper to keep them. Whereas when 'not weak' is determined by >> someone else in the middle of trying to complete something, you are >> very likely to have to write it down. >> > > Whereas I agree with you...Or, you might similarly ask what is your justification for not getting up at 5 AM, going to the gym and swimming 20 or 30 laps every morning. The answer might just be that you are lazy, but should a software vendor make their code stop working for you because they think you aren't working hard enough? -- Les Mikesell lesmikesell at gmail.com
> On Feb 2, 2015, at 4:26 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > > On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote: >>> >> Let?s flip it around: what?s your justification *for* weak passwords? >> > You don't need to write them down.The new rules are: 1. At least 8 characters. 2. Nothing that violates the pwquality rules: http://linux.die.net/man/8/pam_pwquality Are you telling me you cannot memorize a series of 8 characters that do not violate those rules? I?m the first to fight boneheaded ?password security? schemes like a required change every N weeks, but this is not that. Spend a bit of time, cook up a really good password, and then use it for the next several years. That amortizes the cost of memorization to near-zero, greatly reducing the drive to write it down in an insecure place.> Or trust some 3rd party password > keeper to keep them.That doesn?t really apply here. Any password you have to type into a GUI is going to have to be something you can memorize. Password managers are for things you access *after* you are logged in. (Another gripe of mine: this recent trend toward using some ?cloud? login as your OS login. Apple, Microsoft, and Google are now all doing this! This perforce requires me to weaken a password with a cloud-sized attack surface (i.e. frackin? huge) to the point that I can memorize it. Before this change, I was using huge random passwords and 2FA. That doesn?t work any more in a world where the OS now requires my cloud password every time it wants elevated privileges.)> Whereas when 'not weak' is determined by > someone else in the middle of trying to complete something, you are > very likely to have to write it down.Presumably you have already worked out a good password, and memorized it. This change is not going to enforce uniqueness per server. (Though, if this server will be used via SSH, it might be a good idea to do that anyway. SSH keys ? optionally with passphrases ? are more secure than even quite a long human-memorizable password. Disable password auth and use keys.)
Warren Young wrote:> The new rules are: > > 1. At least 8 characters. > > 2. Nothing that violates the pwquality rules: > > http://linux.die.net/man/8/pam_pwqualityThe 7 rules listed in this URL seem utterly bizarre to me. The first is "Don't use a palindrome" which makes me wonder if the author knows the meaning of this word. I suspect he/she thinks it means "a known word backwards". Of the remaing 6 rules one is optional ("repeated characters") and 3 of the remaining 5 concern similarity to previous passwords. Of the remaining 2, one is to avoid short passwords (unspecified), and the other to avoid one's username. -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin
On 02/03/2015 04:56 AM, Les Mikesell wrote:> On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote: >>> >> Let?s flip it around: what?s your justification *for* weak passwords? >> > You don't need to write them down. Or trust some 3rd party password > keeper to keep them. Whereas when 'not weak' is determined by > someone else in the middle of trying to complete something, you are > very likely to have to write it down. >Use pass phrases. They work both ways - stronger password, easier to remember. -- Regards, Rejy M Cyriac (rmc)