On Mon, Mar 9, 2015 at 6:53 PM, Björn Persson Bjorn@rombobjörn.se wrote:
Nico Kadel-Garcia wrote:
I'm the guy that brought up the XKCD comic.
I did it first. ;-)
The classic
storage is the Post-it note on the secretary's desk, but I see a lot
of people who should know better writing them
Kevin Kofler wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reason.
There are two possible reasons why you would say that. Either you
haven't even looked at the Ars Technica articles that have
On 10 Mar 2015, at 07:00, Matěj Cepl wrote:
On 2015-03-10, 10:15 GMT, Björn Persson wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's
probably a good
reason.
There are two possible reasons why you would say
On 2015-03-10, 10:15 GMT, Björn Persson wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reason.
There are two possible reasons why you would say that. Either you
haven't even looked at the Ars
On Tue, Mar 10, 2015 at 5:38 PM, Björn Persson Bjorn@rombobjörn.se wrote:
In the hope of clearing up any
misunderstandings I'll make these statements:
Thanks for the clarifications. My own clarification is that what I
wrote is directed at large, not only to you personally. Usage of
you was
On Tue, Mar 10, 2015 at 4:15 AM, Björn Persson Bjorn@rombobjörn.se wrote:
Kevin Kofler wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reason.
There are two possible reasons why you would say
On Tue, Mar 10, 2015 at 2:16 PM, Chris Murphy li...@colorremedies.com wrote:
So why not a 25 character limit?
That's maybe confusing. Why not a 25 character minimum?
--
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Björn Persson wrote:
Kevin Kofler wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reason.
There are two possible reasons why you would say that. Either you
haven't even looked at the Ars
On 03/06/2015 06:55 PM, Michael Catanzaro wrote:
Well... yes, I suppose if you've left your computer on and locked, and
the attacker wants to make sure you do not notice the reboot, or wants
to get a RAM dump that would be lost when shut down (e.g. for my
gnome-keyring passwords), then there
Mike Pinkerton wrote:
I guess one response would be to give up any pretense of password
quality checking, although I am not advocating that.
Why not? The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
Nico Kadel-Garcia wrote:
I'm the guy that brought up the XKCD comic.
I did it first. ;-)
The classic
storage is the Post-it note on the secretary's desk, but I see a lot
of people who should know better writing them into source control
systems that everyone in the company can read.
Or even
On Mon, Mar 9, 2015 at 4:53 PM, Björn Persson Bjorn@rombobjörn.se wrote:
Nico Kadel-Garcia wrote:
I'm the guy that brought up the XKCD comic.
I did it first. ;-)
Sorry, I think it was adamw who referenced it on anaconda-devel@ over
a month ago when this topic first came up. :-D And I
Why not? The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reason.
You have an alarmingly naive understanding of our user base...
(not that *I* want to give up control of my passwords, but I'm not an
Am 08.03.2015 um 17:24 schrieb Nico Kadel-Garcia:
There's also a counterproductive effect. Passwords that are enforced,
by policy, to be nonsensical gibberish tend to be written down,
because no one can remember them. And because no one can remember
them, they're written down in easily accessed
On 8 March 2015 at 08:41, Mike Pinkerton pseli...@mindspring.com wrote:
Ok, to bring this back around to where we started -- password quality
checkers on Fedora:
1. By positing a strategic attacker, we have now reduced the time we
expect it to take him/her to crack our 29 character
Mike Pinkerton wrote:
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/ will be among the inputs to that
discussion.
I'm fond of
Mike Pinkerton wrote:
I was responding to Björn Persson's suggestion that, in discussions
of password quality, correcthorsebatterystaple would be an example of
a safe password.
Safe_r_. Security in passphrases isn't a binary thing. XKCD 936
demonstrates that correct horse battery staple is
On 7 Mar 2015, at 20:35, Stephen John Smoogen wrote:
On 7 March 2015 at 15:33, Mike Pinkerton pseli...@mindspring.com
wrote:
On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:
On 7 March 2015 at 11:53, Mike Pinkerton pseli...@mindspring.com
wrote:
On 7 Mar 2015, at 10:41, Björn
On Sun, Mar 8, 2015 at 8:44 AM, Björn Persson Bjorn@rombobjörn.se wrote:
Mike Pinkerton wrote:
I was responding to Björn Persson's suggestion that, in discussions
of password quality, correcthorsebatterystaple would be an example of
a safe password.
Safe_r_. Security in passphrases isn't a
Michael Catanzaro wrote:
On Fri, 2015-03-06 at 19:25 -0500, Miloslav Trmač wrote:
The way we deploy LUKS, a single password guess takes one second on a
comparable hardware, so the fuzz factor is not actually as large as it
might seem.
Wow, I had no clue it was that good. OK, so making
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality has not yet blacklisted any variant
of
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality has not
On 6 March 2015 at 22:58, Mike Pinkerton pseli...@mindspring.com wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality
On Fri, Mar 6, 2015 at 2:00 PM, Kevin Fenzi ke...@scrye.com wrote:
On Fri, 6 Mar 2015 10:52:34 -0500
David Cantrell dcantr...@redhat.com wrote:
From what I'm reading in the meeting logs and the ticket comments, it
appears the revert decision is basically a temporary solution and a
more
On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:
On 7 March 2015 at 11:53, Mike Pinkerton pseli...@mindspring.com
wrote:
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn
On 7 March 2015 at 11:53, Mike Pinkerton pseli...@mindspring.com wrote:
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among
On 7 March 2015 at 15:33, Mike Pinkerton pseli...@mindspring.com wrote:
On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:
On 7 March 2015 at 11:53, Mike Pinkerton pseli...@mindspring.com wrote:
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at
On Fri, 2015-03-06 at 19:25 -0500, Miloslav Trmač wrote:
The way we deploy LUKS, a single password guess takes one second on a
comparable hardware, so the fuzz factor is not actually as large as it might
seem.
Wow, I had no clue it was that good. OK, so making one guess at the user
account
On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
* The workstation folks think this change could drive away some of
their potential users for not much gain. In their case, sshd is not
enabled/running and additional security for a device that sits in
your home isn't worth the
Hi!
On Fri, 2015-03-06 at 23:01 +0100, Björn Persson wrote:
or if the attacker snuck into your room when you left it to fetch some
coffee, and needs to unlock your console, implant a backdoor and sneak
back out before you return, or otherwise can't reboot your computer
because you would
Hello,
On Fri, Mar 06, 2015 at 09:43:33AM -0500, Adam Jackson wrote:
As resolved by FESCO in our meeting on 4 March 2015, FESCO requests that
anaconda revert a password behaviour change in the UI from F22,
restoring the double-click to confirm weak password behaviour from F21
and earlier.
On Fri, 2015-03-06 at 19:35 -0500, Miloslav Trmač wrote:
There is another very important case where this falls down: the computer is
enrolled into AD/IPA and the password is used throughout the organization.
Just looking at a local machine does not necessarily tell you what the needed
I have no
clue why VNC passwords are limited/truncated to eight characters, but it
seems like that limitation makes the protocol not worth supporting at
all, let alone worth promoting in System Settings.
The only VNC authentication mechanism standardized in RFC 6143 uses the
password as a
Hello,
On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
* The workstation folks think this change could drive away some of
their potential users for not much gain. In their case, sshd is not
enabled/running and additional security for a device that sits in
your home isn't worth
On 6 March 2015 at 19:13, Michael Catanzaro mcatanz...@gnome.org wrote:
On Fri, 2015-03-06 at 19:35 -0500, Miloslav Trmač wrote:
Eh, well by my logic they are both so closely-related that it's nonsense
to treat them differently... but that comment was more a wishful
somebody please fix VNC
David Cantrell wrote:
From what I'm reading in the meeting logs and the ticket comments, it
appears the revert decision is basically a temporary solution and a more
formal security policy will be discussed later. We had technical
arguments in favor of the change originally, but I have yet to
On Fri, 2015-03-06 at 10:52 -0500, David Cantrell wrote:
I wish a formal distribution and/or per-variant security policy would come
from FESCo (or a committee directed by FESCo) so we could resolve the
concerns now and going forward. I don't see the revert decision as being a
good step in
On Fri, Mar 06, 2015 at 09:43:33AM -0500, Adam Jackson wrote:
As resolved by FESCO in our meeting on 4 March 2015, FESCO requests that
anaconda revert a password behaviour change in the UI from F22,
restoring the double-click to confirm weak password behaviour from F21
and earlier.
From what
On Fri, 6 Mar 2015 10:52:34 -0500
David Cantrell dcantr...@redhat.com wrote:
From what I'm reading in the meeting logs and the ticket comments, it
appears the revert decision is basically a temporary solution and a
more formal security policy will be discussed later. We had
technical
On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
* The workstation folks think this change could drive away some of
their potential users for not much gain. In their case, sshd is not
enabled/running and additional security for a device that sits in
your home isn't worth the
On Fri, 2015-03-06 at 15:14 -0600, Michael Catanzaro wrote:
On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
* The workstation folks think this change could drive away some of
their potential users for not much gain. In their case, sshd is not
enabled/running and additional
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
Adam Jackson wrote:
FESCO is prepared to work with anaconda and other stakeholders
to define security models for the various Fedora products. By
clarifying our needs we hope to avoid this kind of contention
in the future.
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality has not yet blacklisted any variant
of correcthorsebatterystaple. I've been
Michael Catanzaro wrote:
If the attacker is unskilled and doesn't know how to boot a live image,
or if the attacker snuck into your room when you left it to fetch some
coffee, and needs to unlock your console, implant a backdoor and sneak
back out before you return, or otherwise can't reboot
Adam Jackson wrote:
FESCO is prepared to work with anaconda and other stakeholders to define
security models for the various Fedora products. By clarifying our
needs we hope to avoid this kind of contention in the future.
The discussion for this might as well start now -or- at
45 matches
Mail list logo