Re: Weak password madness is back again
On Mon, 23 Jan 2017 02:24:04 + (UTC) Ben Boeckelwrote: > On Sun, 22 Jan, 2017 at 23:36:48 GMT, Ben Boeckel wrote: > > > Sorry for the necro; I apparently had a message queued up on this > machine that I had forgotten about. No problem. A word to the wise is welcome. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Sun, 22 Jan, 2017 at 23:36:48 GMT, Ben Boeckel wrote: Sorry for the necro; I apparently had a message queued up on this machine that I had forgotten about. --Ben ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Tue, 11 Oct, 2016 at 18:25:03 GMT, stan wrote: > "you are a good girl" or variation. Does she have a favorite passage > in a book she reads? Beware common phrases; they are part of the "dictionaries" used by password crackers these days (particularly memorable quotes from movies, books (especially religious books apparently), etc.). You really want random words, possibly along the lines of "green dreams sleep furiously" which are grammatical, but still nonsense. --Ben ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Tue, 11 Oct 2016 08:35:35 + Zbigniew Jędrzejewski-Szmekwrote: > On Tue, Oct 11, 2016 at 09:15:12AM +0200, Björn Persson wrote: > > Zbigniew Jędrzejewski-Szmek wrote: > > > Yes. The hint that "this passphrase is weak" is very useful. But > > > enforcing any policy is just too inflexible. I just tried to > > > explain (unsuccessfully) to a kid (2nd grade, so any "strong" > > > password would simply be immediately forgotten) why she cannot > > > change the password in the gnome dialogue, and it was a total > > > waste of time. > > > > Is a second-grader actually unable to remember "correct horse > > battery staple"? I strongly doubt that. Spell it, maybe not, but > > surely she could remember a four-word string? > > A pass*phrase* like that is certainly much more feasible than a > pass*word*. But I still think it'd be an effort, for example I'd > estimate a 50-50 chance of a passphrase being forgotten over a two > week break. > > And as for the spelling, notice the double-r and double-t, those would > be a source of trouble ;) Without any feedback and only three tries, > this would be rather frustrating. How about a phrase she will remember, and will take pleasure in typing? ;-) "you are a good girl" or variation. Does she have a favorite passage in a book she reads? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Tue, Oct 11, 2016 at 09:15:12AM +0200, Björn Persson wrote: > Zbigniew Jędrzejewski-Szmekwrote: > > Yes. The hint that "this passphrase is weak" is very useful. But > > enforcing any policy is just too inflexible. I just tried to explain > > (unsuccessfully) to a kid (2nd grade, so any "strong" password would > > simply be immediately forgotten) why she cannot change the password in > > the gnome dialogue, and it was a total waste of time. > > Is a second-grader actually unable to remember "correct horse battery > staple"? I strongly doubt that. Spell it, maybe not, but surely she > could remember a four-word string? A pass*phrase* like that is certainly much more feasible than a pass*word*. But I still think it'd be an effort, for example I'd estimate a 50-50 chance of a passphrase being forgotten over a two week break. And as for the spelling, notice the double-r and double-t, those would be a source of trouble ;) Without any feedback and only three tries, this would be rather frustrating. Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Mon, Oct 10, 2016 at 11:56:38AM -0500, Michael Catanzaro wrote: > On Mon, 2016-10-10 at 16:17 +, Zbigniew Jędrzejewski-Szmek wrote: > > (In addition, typing "password" in the gnome search box does *not* > > lead to something that allows you to change your password, one needs > > to search for "users" instead…, but that's another story. If somebody > > from the gnome team is listening, it would be great to tag "Users" > > with > > "password" too.) > > Hm, the keyword is already listed in the desktop file, but that doesn't > do any good because all the desktop files are marked NoDisplay=true. > > But it's found by the control-center search provider. That should be on > by default, did you turn it off? I see it now, thanks. PEBKAC, it seems. Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Zbigniew Jędrzejewski-Szmekwrote: > Yes. The hint that "this passphrase is weak" is very useful. But > enforcing any policy is just too inflexible. I just tried to explain > (unsuccessfully) to a kid (2nd grade, so any "strong" password would > simply be immediately forgotten) why she cannot change the password in > the gnome dialogue, and it was a total waste of time. Is a second-grader actually unable to remember "correct horse battery staple"? I strongly doubt that. Spell it, maybe not, but surely she could remember a four-word string? Björn Persson pgpzeQ_0NZYcW.pgp Description: OpenPGP digital signatur ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Mon, 2016-10-10 at 16:17 +, Zbigniew Jędrzejewski-Szmek wrote: > (In addition, typing "password" in the gnome search box does *not* > lead to something that allows you to change your password, one needs > to search for "users" instead…, but that's another story. If somebody > from the gnome team is listening, it would be great to tag "Users" > with > "password" too.) Hm, the keyword is already listed in the desktop file, but that doesn't do any good because all the desktop files are marked NoDisplay=true. But it's found by the control-center search provider. That should be on by default, did you turn it off? Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Sat, Oct 08, 2016 at 02:29:20PM +0200, Kevin Kofler wrote: > Michael Catanzaro wrote: > > The status quo is that we are not in compliance with FESCo's policy > > [1], which clearly applies to all tools that change passwords and not > > just anaconda, but we can't change anything in GNOME until libpwquality > > stops blocking weak passwords via its PAM module, since we ultimately > > shell out to passwd to implement that (for auditability). > > The right fix there is to just remove the libpwquality PAM module by > default. Enabling such a thing should only be done by the local system > administrator. > > > But there is one more issue. FESCo's policy actually requires that only > > admin users (wheel users, including the initial user account) would be > > able to set weak passwords, and that unprivileged users should be > > blocked from doing so. > > And I agree with Chris Murphy that that policy is utter nonsense. > > Even if I want to set my password to the empty string, that is my choice. It > is a perfectly valid password for some use cases. (For what it's worth, I > actually use a non-empty password, but Anaconda considers even that "weak". > But I do not want to give more details here, and most definitely not the > password itself, for obvious reasons.) Yes. The hint that "this passphrase is weak" is very useful. But enforcing any policy is just too inflexible. I just tried to explain (unsuccessfully) to a kid (2nd grade, so any "strong" password would simply be immediately forgotten) why she cannot change the password in the gnome dialogue, and it was a total waste of time. (In addition, typing "password" in the gnome search box does *not* lead to something that allows you to change your password, one needs to search for "users" instead…, but that's another story. If somebody from the gnome team is listening, it would be great to tag "Users" with "password" too.) Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Pá, 2016-10-07 at 11:58 -0500, Michael Catanzaro wrote: > On Fri, 2016-10-07 at 18:07 +0200, Hans de Goede wrote: > > > > Suggested fix if you "shell out to passwd" in g-c-c, then why not > > also do this in g-i-s presumable you can share the code then and > > have less security sensitive code to worry about ? When you do > > make sure you run passwd as root (from g-i-s), not as the newly > > created user. I can set whatever passwd I want using > > "passwd " as root just fine. > We should probably just switch to using accountsservice, which runs > as > root, to change the password; it's kind of silly to use passwd > directly > "for auditability" if it's possible to change passwords using > accountsservice instead. accountsservice should be changed to use > passwd if desired. (Currently accountsservice uses usermod, which is > I > guess why we don't use it in g-c-c.) Does that sound OK, Ondrej? > > Then that would solve the problem of getting errors from PAM, and we > can decide whether to enforce password strength in GNOME based on > whether the current user is an admin or not (or if he is > authenticated > as an admin for editing other accounts... that would be kind of > confusing, though, if a non-admin user with access to an admin > password > gets hit by the password strength policy just because he didn't > unlock > the panel with the admin password before changing his password; not > sure what the UI should be for this). If accountsservice uses usermod it generates audit events too although slightly different ones than passwd. But that should not be a problem for auditability. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Michael Catanzaro wrote: > The status quo is that we are not in compliance with FESCo's policy > [1], which clearly applies to all tools that change passwords and not > just anaconda, but we can't change anything in GNOME until libpwquality > stops blocking weak passwords via its PAM module, since we ultimately > shell out to passwd to implement that (for auditability). The right fix there is to just remove the libpwquality PAM module by default. Enabling such a thing should only be done by the local system administrator. > But there is one more issue. FESCo's policy actually requires that only > admin users (wheel users, including the initial user account) would be > able to set weak passwords, and that unprivileged users should be > blocked from doing so. And I agree with Chris Murphy that that policy is utter nonsense. Even if I want to set my password to the empty string, that is my choice. It is a perfectly valid password for some use cases. (For what it's worth, I actually use a non-empty password, but Anaconda considers even that "weak". But I do not want to give more details here, and most definitely not the password itself, for obvious reasons.) Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Tomas Mraz wrote: > The only place where the password strength check should not be > overridable is when a regular user tries to change his own password. No, even that should not happen unless the local administrator explicitly opted to enforce some such policy (and the exact policy to enforce is the administrator's choice, it is likely to differ significantly from GNOME's hardcoded policy). Enforcing password strength rules on all users of the entire distribution, no matter what their use cases are, is just not a reasonable thing to do. As pointed out by Chris Murphy, even the proprietary operating systems don't do that. Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Hi, On 07-10-16 18:58, Michael Catanzaro wrote: On Fri, 2016-10-07 at 18:07 +0200, Hans de Goede wrote: Suggested fix if you "shell out to passwd" in g-c-c, then why not also do this in g-i-s presumable you can share the code then and have less security sensitive code to worry about ? When you do make sure you run passwd as root (from g-i-s), not as the newly created user. I can set whatever passwd I want using "passwd " as root just fine. We should probably just switch to using accountsservice, which runs as root, to change the password; it's kind of silly to use passwd directly "for auditability" if it's possible to change passwords using accountsservice instead. accountsservice should be changed to use passwd if desired. (Currently accountsservice uses usermod, which is I guess why we don't use it in g-c-c.) Does that sound OK, Ondrej? Then that would solve the problem of getting errors from PAM, and we can decide whether to enforce password strength in GNOME based on whether the current user is an admin or not (or if he is authenticated as an admin for editing other accounts... that would be kind of confusing, though, if a non-admin user with access to an admin password gets hit by the password strength policy just because he didn't unlock the panel with the admin password before changing his password; not sure what the UI should be for this). Sounds good to me, I'm pretty much happy with any solution which you think is safe and maintainable; and I understand if we won't see this fixed till F26, but please do fix it for F26. Thank you & Regards, Hans ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Fri, 2016-10-07 at 18:07 +0200, Hans de Goede wrote: > Suggested fix if you "shell out to passwd" in g-c-c, then why not > also do this in g-i-s presumable you can share the code then and > have less security sensitive code to worry about ? When you do > make sure you run passwd as root (from g-i-s), not as the newly > created user. I can set whatever passwd I want using > "passwd " as root just fine. We should probably just switch to using accountsservice, which runs as root, to change the password; it's kind of silly to use passwd directly "for auditability" if it's possible to change passwords using accountsservice instead. accountsservice should be changed to use passwd if desired. (Currently accountsservice uses usermod, which is I guess why we don't use it in g-c-c.) Does that sound OK, Ondrej? Then that would solve the problem of getting errors from PAM, and we can decide whether to enforce password strength in GNOME based on whether the current user is an admin or not (or if he is authenticated as an admin for editing other accounts... that would be kind of confusing, though, if a non-admin user with access to an admin password gets hit by the password strength policy just because he didn't unlock the panel with the admin password before changing his password; not sure what the UI should be for this). Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Fri, 2016-10-07 at 16:17 +0200, Tomas Mraz wrote: > On Pá, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: > > Hi, > > > > So 2 devel cycles ago we had this whole discussion > > about how forcing people to choose strong passwords in anaconda > > was making live hard for testers / test-installs and this > > decision was reverted. > > > > So now here I'm doing a F25 Fedora ARM test install, end up > > in the gnome-ified first-time-setup wizzard and cannot continue > > until I make my test-user password strong enough. UGH. > > > > So can we get this fixed please, or do we need to escalate > > this all the way up to FESco again ? > > > Is that a regression? Previously the discussion was about Anaconda not > about gnome initial setup or whatever is the password dialogue you are > talking about. Not that I am supporter of making it impossible to > override password strength check in any kind of initial setup tools. It is a regression, yeah, at some point g-i-s did allow weak passwords, with a warning. I don't recall exactly when it changed again. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Hi, On 07-10-16 18:03, Adam Williamson wrote: On Fri, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: Hi, So 2 devel cycles ago we had this whole discussion about how forcing people to choose strong passwords in anaconda was making live hard for testers / test-installs and this decision was reverted. So now here I'm doing a F25 Fedora ARM test install, end up in the gnome-ified first-time-setup wizzard and cannot continue until I make my test-user password strong enough. UGH. So can we get this fixed please, or do we need to escalate this all the way up to FESco again ? It's a game. Every time we get it changed in one place, it gets changed the other way in another place...=) For now, you can create a user account during the install process (rather than in gnome-initial-setup) if you want a weak password. No such luck with the ARM sdcard images though, those are "pre-installed" and for the workstation images one is stuck with gnome-initial-setup (I believe the anaconda based normal intial-setup will do the right thing). Regards, Hans ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Hi, On 07-10-16 17:42, Michael Catanzaro wrote: On Fri, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: So can we get this fixed please, or do we need to escalate this all the way up to FESco again ? Hi, The status quo is that we are not in compliance with FESCo's policy [1], which clearly applies to all tools that change passwords and not just anaconda, but we can't change anything in GNOME until libpwquality stops blocking weak passwords via its PAM module, since we ultimately shell out to passwd to implement that (for auditability). (Actually, I think gnome-initial-setup does not use passwd, but gnome-control-center definitely does, and we are not going to implement different password checking behavior between the two of them.) I informed FESCo of this at the time of their decision, and reminded them in the original ticket a month or two ago. At any rate, it's been this way for several releases now, so I don't want to change anything in F25 this late in the game, but it would be nice to fix in the F26 timeframe. I don't want to work on the PAM module, but if somebody else fixes it, then send me a ping and I'll try to update gnome-initial- setup and gnome-control-center to comply with the policy. But there is one more issue. FESCo's policy actually requires that only admin users (wheel users, including the initial user account) would be able to set weak passwords, and that unprivileged users should be blocked from doing so. Again, this is not currently possible to implement in GNOME, as it requires additional plumbing in at least the PAM module, and probably also in libpwquality proper. Again, I don't plan to work on this, but again, if someone else fixes it then I'm happy to make whatever changes are needed in g-i-s/g-c-c. First of all thank you for the long explanation, and good to know that this is on your radar. As a developer I understand what you're saying. But TBH as an end user I don't give a hoot. We first had this whole discussion about anaconda breaking the freedom to chose a password around F-22 and now we've F25 coming up 18 months later and this is still not fixed (in some places). That is simply unacceptable IMHO. Suggested fix if you "shell out to passwd" in g-c-c, then why not also do this in g-i-s presumable you can share the code then and have less security sensitive code to worry about ? When you do make sure you run passwd as root (from g-i-s), not as the newly created user. I can set whatever passwd I want using "passwd " as root just fine. This will at least fix g-i-s, which is the biggest hurdle for users. Changing a passwd later, a wheel group user can always drop to the terminal and do "sudo passwd " as a workaround, but at g-i-s time no such workarounds are possible. Or simply also run passwd as root for wheel group users (they have sudo rights after all). Regards, Hans > [1] https://fedoraproject.org/wiki/Passphrase_policy Note that this page too is over a year old, really it is time to fix this. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Fri, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: > Hi, > > So 2 devel cycles ago we had this whole discussion > about how forcing people to choose strong passwords in anaconda > was making live hard for testers / test-installs and this > decision was reverted. > > So now here I'm doing a F25 Fedora ARM test install, end up > in the gnome-ified first-time-setup wizzard and cannot continue > until I make my test-user password strong enough. UGH. > > So can we get this fixed please, or do we need to escalate > this all the way up to FESco again ? It's a game. Every time we get it changed in one place, it gets changed the other way in another place...=) For now, you can create a user account during the install process (rather than in gnome-initial-setup) if you want a weak password. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Fri, Oct 7, 2016 at 9:42 AM, Michael Catanzarowrote: > But there is one more issue. FESCo's policy actually requires that only > admin users (wheel users, including the initial user account) would be > able to set weak passwords, and that unprivileged users should be > blocked from doing so. The less privileged account must have a stronger passphrase. It's adorable nonsense. FESCo should reconsider that distinction. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Fri, Oct 7, 2016 at 8:17 AM, Tomas Mrazwrote: > On Pá, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: >> Hi, >> >> So 2 devel cycles ago we had this whole discussion >> about how forcing people to choose strong passwords in anaconda >> was making live hard for testers / test-installs and this >> decision was reverted. >> >> So now here I'm doing a F25 Fedora ARM test install, end up >> in the gnome-ified first-time-setup wizzard and cannot continue >> until I make my test-user password strong enough. UGH. >> >> So can we get this fixed please, or do we need to escalate >> this all the way up to FESco again ? > > Is that a regression? Previously the discussion was about Anaconda not > about gnome initial setup or whatever is the password dialogue you are > talking about. Not that I am supporter of making it impossible to > override password strength check in any kind of initial setup tools. > > The only place where the password strength check should not be > overridable is when a regular user tries to change his own password. To this day in the latest Windows and macOS, the regular user can use "hi" as a password, and the world is still not ending. More user freedom for passwords on proprietary platforms. It's ironic. The shortest password I can get GNOME's Settings > Users > Change Password to accept is UiNls8%M which is hilarious. February is also eight characters, but I'm punished for using a common word. Even february5 is disallowed. The shortest easiest to remember one I could come up with was june5may which is eight characters. It's from the same era of pompous fake security as compulsory password changes after 90 days. Oh well, we have bigger problems anyway. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Fri, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: > So can we get this fixed please, or do we need to escalate > this all the way up to FESco again ? Hi, The status quo is that we are not in compliance with FESCo's policy [1], which clearly applies to all tools that change passwords and not just anaconda, but we can't change anything in GNOME until libpwquality stops blocking weak passwords via its PAM module, since we ultimately shell out to passwd to implement that (for auditability). (Actually, I think gnome-initial-setup does not use passwd, but gnome-control-center definitely does, and we are not going to implement different password checking behavior between the two of them.) I informed FESCo of this at the time of their decision, and reminded them in the original ticket a month or two ago. At any rate, it's been this way for several releases now, so I don't want to change anything in F25 this late in the game, but it would be nice to fix in the F26 timeframe. I don't want to work on the PAM module, but if somebody else fixes it, then send me a ping and I'll try to update gnome-initial- setup and gnome-control-center to comply with the policy. But there is one more issue. FESCo's policy actually requires that only admin users (wheel users, including the initial user account) would be able to set weak passwords, and that unprivileged users should be blocked from doing so. Again, this is not currently possible to implement in GNOME, as it requires additional plumbing in at least the PAM module, and probably also in libpwquality proper. Again, I don't plan to work on this, but again, if someone else fixes it then I'm happy to make whatever changes are needed in g-i-s/g-c-c. Michael [1] https://fedoraproject.org/wiki/Passphrase_policy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
Hi, On 07-10-16 16:17, Tomas Mraz wrote: On Pá, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: Hi, So 2 devel cycles ago we had this whole discussion about how forcing people to choose strong passwords in anaconda was making live hard for testers / test-installs and this decision was reverted. So now here I'm doing a F25 Fedora ARM test install, end up in the gnome-ified first-time-setup wizzard and cannot continue until I make my test-user password strong enough. UGH. So can we get this fixed please, or do we need to escalate this all the way up to FESco again ? Is that a regression? I don't know this is the first time I encountered the gnome initial-setup wizard instead of using anaconda (due to how arm images work). Previously the discussion was about Anaconda Right, but since we've had this whole heated discussion about how a strong password should not be mandatory for initial account creation, it seems silly to me that only Anaconda actually abides by that decision and other tools with the same purpose do not. not about gnome initial setup or whatever is the password dialogue you are talking about. I got something which looks like the gnome welcome wizard, but then before logging in, since there did not exist any user on the system yet. This version of the gnome welcome wizard allows one to create an user and select a timezone in essence taking the place of initial-setup-gui on non workstation spins. If someone knows the package name of the gnome replacement for initial-setup-gui used on the workstation spin, then please let me know then I will file a bug for this. Not that I am supporter of making it impossible to override password strength check in any kind of initial setup tools. Right, exactly my point. The only place where the password strength check should not be overridable is when a regular user tries to change his own password. Ack, that is not what I'm talking about, this is initial account creation for the first user on the system. Regards, Hans ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Weak password madness is back again
On Pá, 2016-10-07 at 15:56 +0200, Hans de Goede wrote: > Hi, > > So 2 devel cycles ago we had this whole discussion > about how forcing people to choose strong passwords in anaconda > was making live hard for testers / test-installs and this > decision was reverted. > > So now here I'm doing a F25 Fedora ARM test install, end up > in the gnome-ified first-time-setup wizzard and cannot continue > until I make my test-user password strong enough. UGH. > > So can we get this fixed please, or do we need to escalate > this all the way up to FESco again ? Is that a regression? Previously the discussion was about Anaconda not about gnome initial setup or whatever is the password dialogue you are talking about. Not that I am supporter of making it impossible to override password strength check in any kind of initial setup tools. The only place where the password strength check should not be overridable is when a regular user tries to change his own password. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Weak password madness is back again
Hi, So 2 devel cycles ago we had this whole discussion about how forcing people to choose strong passwords in anaconda was making live hard for testers / test-installs and this decision was reverted. So now here I'm doing a F25 Fedora ARM test install, end up in the gnome-ified first-time-setup wizzard and cannot continue until I make my test-user password strong enough. UGH. So can we get this fixed please, or do we need to escalate this all the way up to FESco again ? Regards, Hans ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org