[lubuntu-devel] heavy handed password requirements?

Bryan Quigley bryan.quigley at canonical.com
Thu Aug 23 17:51:52 UTC 2018 

I think it might give a false sense of security.  If we were talking
about a disk encryption password I'd see the argument a bit more.  But
literally booting with a live cd will for the most part make the users
password irrelevant for accessing their data.

Definitely +1 on letting users know the strength of their passwords though.

My 2 cents.
Bryan

On Thu, Aug 23, 2018 at 10:17 AM, Nio Wiklund <nio.wiklund at gmail.com> wrote:
> Den 2018-08-23 kl. 18:57, skrev Walter Lapchynski:
>>
>> As 18.10 development continues, we find ourselves with opportunities to
>> add in new features which weren't quite so easily implemented before.
>> One of these things is the discovery that Calamares (our installer)
>> supports a library called libpwquality that can enforce all kinds of
>> great password requirements. Being security-minded folks, we're inclined
>> to add such things to the installer and as of recent uploads, you'll
>> find them included. We were actually planning on hardening these even
>> more to require a minimum length, miminum number of character classes,
>> no dictionary words, limited repeat characters or sequences. Check out
>> the [manpage for pwquality.conf][0] for more on the many options
>> available.
>>
>> However, we have at least [one complaint][1] already about this and it
>> has us concerned whether or not we're being a little too heavy handed in
>> these requirements. As you can see in our response, there is a
>> workaround which one can easily accomplish by editing a config file and
>> commenting out all the password section. Still, that wasn't sufficient
>> to satisfy this particular individual, apparently.
>>
>> I still believe secure defaults make sense, especially as this tends to
>> be the rule rather than the exception in the modern world. Everywhere
>> you go, password requirements are there. However, I do not believe we
>> (core development team) should be making these decisions alone. That
>> said, what do you, the community think?
>>
>> [0]:
>>
>> https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod
>> [1]: https://linuxrocks.online/@hil/100600128336751092
>>
>
> Hi Walter and everybody else,
>
> Maybe setting 'enforcing=0' as the default is a good alternative: Only print
> a warning.
>
> ---
> enforcing=N
>
>     If nonzero, reject the password if it fails the checks, otherwise only
> print the warning. This setting applies only to the pam_pwquality module and
> possibly other applications that explicitly change their behavior based on
> it. It does not affect pwmake(1) and pwscore(1). (default 1)
> ---
>
> For example, I use the APG method but also the XKCD method, which uses words
> from a word-list, and would not pass 'dictcheck'.
>
> ---
> dictcheck
>
>     If nonzero, check whether the password (with possible modifications)
> matches a word in a dictionary. Currently the dictionary check is performed
> using the cracklib library. (default 1)
> ---
>
> See this link
>
> https://help.ubuntu.com/community/StrongPasswords
>
> Best regards
> Nio
>
>
> --
> Lubuntu-devel mailing list
> Lubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel

More information about the Lubuntu-devel mailing list