On Sat, 25 Jul 2015 11:16:18 -0600 Chris Murphy <lists at colorremedies.com> wrote:> On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at nyc.rr.com> wrote: > > This might show up twice, I think I sent it from a bad address previously. > > If so, please accept my apologies. > > > > > > In Fedora 22, one developer (and only one) decided that if the password > > chosen during installation wasn't of sufficient strength, the install > > wouldn't continue. A bug was filed, and there was also a great deal of > > aggravation about it on the Fedora testing list. So, it was dropped. > > > > However, like a US (and probably other countries) politician who has one > > bad law suddenly exposed, it seems they are doing it for F23, judging from > > a test installation. I've filed a bug if anyone wants to chime in and ask > > them not to do it. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1246771 > > This is a good write up on the story: > https://lwn.net/Articles/639405/ > > And the proposal for Fedora 23: > https://fedoraproject.org/wiki/Changes/Standardized_passphrase_policy > > And the discussion for Workstation's behavior: > https://lists.fedoraproject.org/pipermail/desktop/2015-July/012588.html > >Something like this? Sorry, your password has been in use for 30 days and has expired - you must register a new one." New password roses "Sorry, too few characters." pretty roses "Sorry, you must use at least one numerical character." 1 pretty rose "Sorry, you cannot use blank spaces." 1prettyrose "Sorry, you must use at least 10 different characters." 1fuckingprettyrose "Sorry, you must use at least one upper case character." 1FUCKINGprettyrose "Sorry, you cannot use more than one upper case character consecutively." 1FuckingPrettyRose "Sorry, you must use no fewer than 20 total characters." 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow! "Sorry, you cannot use punctuation." 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow "Sorry, that password is already in use." BR, Bob Who thinks the password policy in my machines are my concern.
On Jul 25, 2015, at 6:22 PM, Bob Marcan wrote:> > 1FuckingPrettyRose > "Sorry, you must use no fewer than 20 total characters." > 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow! > "Sorry, you cannot use punctuation." > 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow > "Sorry, that password is already in use.?The new rules are nowhere near that stringent: http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html> Who thinks the password policy in my machines are my concern.Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people?s machines. In the previous thread on this topic, 6 months ago, I likened reasonable password strength minima to state-mandated vaccination. Previously-defeated diseases have started to reappear as the antivax movement has gained momentum. Polio came back in Pakistan, measles in California, and whooping cough in Australia, all within the last year or two. https://en.wikipedia.org/wiki/Vaccine_controversies So no, your local password quality policy is not purely your own concern.
Once upon a time, Warren Young <wyml at etr-usa.com> said:> Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.Since most of that crap comes from Windows hosts, the security of Linux SSH passwords seems hardly relevant.> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people?s machines.Your freedom to dictate terms to me stops at my system, which you cannot access even if I set the password to "12345". You are making an assumption that every Fedora/CentOS install is on the public Internet, and then applying rules based on that (false) assumption. When root can override a password policy after install, forcing a policy during install is nothing but stupid and irritating. Despite what was said on the Fedora list, this was an active change taken by anaconda developers (to take out the "click again to accept anyway" option), so they should expect people to complain to them and be prepared to handle the response. -- Chris Adams <linux at cmadams.net>
On Tue, Jul 28, 2015 at 11:27 AM, Warren Young <wyml at etr-usa.com> wrote:> Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. > > Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people?s machines.Your freedom to have sshd enabled by default stops at the point where exercising that freedom creates risk to other people's machines. I can also use that logic with, password based auth by default, rather than PKA by default. A rather strong argument can be made, much more so than a very weak > weak password quality policy, for sshd on a default 7 day disable timer. That is, by default, after 7 days, sshd is stopped and disabled. In the autopsies of pwned computers is the quickly provisioned server with a standard simple in-house password for such things, with the idea that after configuration the password will get changed or more likely sshd is disabled or it'll be added to firewall filtering. The reality is all the bad practices happen because this quickly provisioned machine is forgotten about for one reason or another, and then it gets owned. Well, disabling sshd after 7 days would stop all of that and yet doesn't prevent initial configuration. More likely, I think we'll see either sshd disabled by default or PKA required by default, both being provisioned via Cockpit. And that's because the minimum password quality under discussion is still rather weak when it comes to being able to put a system directly on the Internet or facing it with port forwarding while taking no other precautions. And yet the weak password policy is too strong for many legitimate use cases where the use case/environment aren't high risk for such passwords. -- Chris Murphy
> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote: > > On Jul 25, 2015, at 6:22 PM, Bob Marcan wrote: >> >> 1FuckingPrettyRose >> "Sorry, you must use no fewer than 20 total characters." >> 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow! >> "Sorry, you cannot use punctuation." >> 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow >> "Sorry, that password is already in use.? > > The new rules are nowhere near that stringent: > > http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html > >> Who thinks the password policy in my machines are my concern. > > Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. > > Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people?s machines. > > In the previous thread on this topic, 6 months ago, I likened reasonable password strength minima to state-mandated vaccination. Previously-defeated diseases have started to reappear as the antivax movement has gained momentum. Polio came back in Pakistan, measles in California, and whooping cough in Australia, all within the last year or two. > > https://en.wikipedia.org/wiki/Vaccine_controversies > > So no, your local password quality policy is not purely your own concern.Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything), what ?risk? is created to other people?s machines who have done appropriate security measures by a cracked machine owned by an idiot, that isn?t easily handled in minutes, if not seconds, by fail2ban? Equating this to ?vaccination? is a huge stretch. It?s more like saying the guy who left his front door unlocked all day is a threat to the neighbor?s house. Other than the perennial brokenness of a worldwide untrusted network piped straight into your home or business without an appropriate firewall and/or monitoring of said silly network, there?s almost zero risk at all to the ?house next door with a deadbolt and security bars?. You can?t ?catch the insecure?? hahaha? it?s not a virus. -- Nate Duehr denverpilot at me.com