[lubuntu-devel] heavy handed password requirements?
Nio Wiklund
nio.wiklund at gmail.com
Thu Aug 23 17:17:06 UTC 2018
Den 2018-08-23 kl. 18:57, skrev Walter Lapchynski:
> As 18.10 development continues, we find ourselves with opportunities to
> add in new features which weren't quite so easily implemented before.
> One of these things is the discovery that Calamares (our installer)
> supports a library called libpwquality that can enforce all kinds of
> great password requirements. Being security-minded folks, we're inclined
> to add such things to the installer and as of recent uploads, you'll
> find them included. We were actually planning on hardening these even
> more to require a minimum length, miminum number of character classes,
> no dictionary words, limited repeat characters or sequences. Check out
> the [manpage for pwquality.conf][0] for more on the many options
> available.
>
> However, we have at least [one complaint][1] already about this and it
> has us concerned whether or not we're being a little too heavy handed in
> these requirements. As you can see in our response, there is a
> workaround which one can easily accomplish by editing a config file and
> commenting out all the password section. Still, that wasn't sufficient
> to satisfy this particular individual, apparently.
>
> I still believe secure defaults make sense, especially as this tends to
> be the rule rather than the exception in the modern world. Everywhere
> you go, password requirements are there. However, I do not believe we
> (core development team) should be making these decisions alone. That
> said, what do you, the community think?
>
> [0]:
> https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod
> [1]: https://linuxrocks.online/@hil/100600128336751092
>
Hi Walter and everybody else,
Maybe setting 'enforcing=0' as the default is a good alternative: Only
print a warning.
---
enforcing=N
If nonzero, reject the password if it fails the checks, otherwise
only print the warning. This setting applies only to the pam_pwquality
module and possibly other applications that explicitly change their
behavior based on it. It does not affect pwmake(1) and pwscore(1).
(default 1)
---
For example, I use the APG method but also the XKCD method, which uses
words from a word-list, and would not pass 'dictcheck'.
---
dictcheck
If nonzero, check whether the password (with possible
modifications) matches a word in a dictionary. Currently the dictionary
check is performed using the cracklib library. (default 1)
---
See this link
https://help.ubuntu.com/community/StrongPasswords
Best regards
Nio
More information about the Lubuntu-devel
mailing list