[lubuntu-devel] heavy handed password requirements?

Walter Lapchynski wxl at ubuntu.com
Thu Aug 23 16:57:26 UTC 2018

As 18.10 development continues, we find ourselves with opportunities to
add in new features which weren't quite so easily implemented before.
One of these things is the discovery that Calamares (our installer)
supports a library called libpwquality that can enforce all kinds of
great password requirements. Being security-minded folks, we're inclined
to add such things to the installer and as of recent uploads, you'll
find them included. We were actually planning on hardening these even
more to require a minimum length, miminum number of character classes,
no dictionary words, limited repeat characters or sequences. Check out
the [manpage for pwquality.conf][0] for more on the many options

However, we have at least [one complaint][1] already about this and it
has us concerned whether or not we're being a little too heavy handed in
these requirements. As you can see in our response, there is a
workaround which one can easily accomplish by editing a config file and
commenting out all the password section. Still, that wasn't sufficient
to satisfy this particular individual, apparently.

I still believe secure defaults make sense, especially as this tends to
be the rule rather than the exception in the modern world. Everywhere
you go, password requirements are there. However, I do not believe we
(core development team) should be making these decisions alone. That
said, what do you, the community think?

[1]: https://linuxrocks.online/@hil/100600128336751092

       @wxl | polka.bike
C563 CAC5 8BE1 2F22 A49D 
68F6 8B57 A48B C4F2 051A

More information about the Lubuntu-devel mailing list