[lubuntu-devel] heavy handed password requirements?

Thu Aug 23 22:37:25 UTC 2018

Walter, 

+1 for notification ONLY not enforcement

I agree with Bryan, Ian and Mark, that letting people see the strength
of their password adds value, but preventing them using passwords below
a strength that WE determine WITHOUT understanding their use cases or
needs is perhaps inappropriate. Personally I use full disk encryption
with very strong passwords on my main Lubuntu PC(s), but I also use the
distro as a basis for a number of utility devices, some of which are
shared or kiosk style, and on these the non-admin account credential
checks would be considered weak or non-existent.
If a distro developer sets the barrier too high then it risks putting
people off. Better to educate folk to make the appropriate choice for
their own needs.
It's great that you ask for people's opinions on matters like this, I
just hope you don't feel burned by the bashlash :)
</opinion>
Art

----- Original message -----
From: Mark F <azdays15 at gmail.com>
To:
Cc: "lubuntu-devel" <lubuntu-devel at lists.ubuntu.com>
Subject: Re: [lubuntu-devel] heavy handed password requirements?
Date: Thu, 23 Aug 2018 14:50:09 -0700

Walter,

IMO, for casual home users, it seems a bit overbearing to require
cryptic passwords. I have a friend who only uses her Lubuntu to play
some games, surf the web, read email. I know there's a risk of her
laptop being stolen and someone getting into any web accounts with
"remembered" passwords. But, I think the risk is that she'll forget a
convoluted laptop password.
I like how it is now. It gives us an idea of how strong the password is
using an indicator. But, we can choose an insecure password if we wish.
Mark

On Thu, Aug 23, 2018 at 9:57 AM Walter Lapchynski <wxl at ubuntu.com> wrote:> As 18.10 development continues, we find ourselves with
> opportunities to>  add in new features which weren't quite so easily implemented before.>  One of these things is the discovery that Calamares (our installer)
>  supports a library called libpwquality that can enforce all kinds of>  great password requirements. Being security-minded folks, we're
>  inclined>  to add such things to the installer and as of recent uploads, you'll>  find them included. We were actually planning on hardening these even>  more to require a minimum length, miminum number of character
>  classes,>  no dictionary words, limited repeat characters or sequences.
>  Check out>  the [manpage for pwquality.conf][0] for more on the many options
>  available.
> 
>  However, we have at least [one complaint][1] already about
>  this and it>  has us concerned whether or not we're being a little too heavy
>  handed in>  these requirements. As you can see in our response, there is a
>  workaround which one can easily accomplish by editing a config
>  file and>  commenting out all the password section. Still, that wasn't
>  sufficient>  to satisfy this particular individual, apparently.
> 
>  I still believe secure defaults make sense, especially as this
>  tends to>  be the rule rather than the exception in the modern world. Everywhere>  you go, password requirements are there. However, I do not believe we>  (core development team) should be making these decisions alone. That>  said, what do you, the community think?
> 
>  [0]:
> https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod>  [1]: https://linuxrocks.online/@hil/100600128336751092
> 
>  -- 
>         @wxl | polka.bike
>  C563 CAC5 8BE1 2F22 A49D 
>  68F6 8B57 A48B C4F2 051A
> 
>  -- 
>  Lubuntu-devel mailing list
> Lubuntu-devel at lists.ubuntu.com
>  Modify settings or unsubscribe at:
>  https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel--
Lubuntu-devel mailing list
Lubuntu-devel at lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/lubuntu-devel/attachments/20180823/8456cf45/attachment.html>