[lubuntu-devel] heavy handed password requirements?

Fri Aug 24 05:23:12 UTC 2018

Hello all

Some people just cannot remember difficult passwords, they just cannot.
I understand that a very difficult password is better.
My suggestion is (like some websites do) get an indicator like red with the
wording not good at all, not good, average, very good and excellent or
something like that and colors going from red to green.
Maybe a popup when the level is red to orange telling a person why a good
password is important, but to enforce it - no.
What is the use of a person not be able to remember the password?

Also it depends on what you use the machine for.
I have one all Dell SFF desktop computer which I use as an entertainment
center.
There a simple password is enough.

So leave the choice up to the user but inform the user about how important
a password is, in a language that everybody can understand.

Met vriendelijke groet / Best regards,

Jan Holtman

oulik.jan at gmail.com <1%3Aoulik.jan at gmail.com>

<2%3Ajan.holtman at live.com>

On Fri, Aug 24, 2018 at 12:37 AM Artemgy <launchpad at artmg.org> wrote:

> Walter,
>
> +1 for notification ONLY not enforcement
>
> I agree with Bryan, Ian and Mark, that letting people see the strength of
> their password adds value, but preventing them using passwords below a
> strength that WE determine WITHOUT understanding their use cases or needs
> is perhaps inappropriate. Personally I use full disk encryption with very
> strong passwords on my main Lubuntu PC(s), but I also use the distro as a
> basis for a number of utility devices, some of which are shared or kiosk
> style, and on these the non-admin account credential checks would be
> considered weak or non-existent.
>
> If a distro developer sets the barrier too high then it risks putting
> people off. Better to educate folk to make the appropriate choice for their
> own needs.
>
> It's great that you ask for people's opinions on matters like this, I just
> hope you don't feel burned by the bashlash :)
>
> </opinion>
> Art
>
> ----- Original message -----
> From: Mark F <azdays15 at gmail.com>
> To:
> Cc: "lubuntu-devel" <lubuntu-devel at lists.ubuntu.com>
> Subject: Re: [lubuntu-devel] heavy handed password requirements?
> Date: Thu, 23 Aug 2018 14:50:09 -0700
>
> Walter,
>
> IMO, for casual home users, it seems a bit overbearing to require cryptic
> passwords. I have a friend who only uses her Lubuntu to play some games,
> surf the web, read email. I know there's a risk of her laptop being stolen
> and someone getting into any web accounts with "remembered" passwords. But,
> I think the risk is that she'll forget a convoluted laptop password.
>
> I like how it is now. It gives us an idea of how strong the password is
> using an indicator. But, we can choose an insecure password if we wish.
>
> Mark
>
> On Thu, Aug 23, 2018 at 9:57 AM Walter Lapchynski <wxl at ubuntu.com> wrote:
>
> As 18.10 development continues, we find ourselves with opportunities to
> add in new features which weren't quite so easily implemented before.
> One of these things is the discovery that Calamares (our installer)
> supports a library called libpwquality that can enforce all kinds of
> great password requirements. Being security-minded folks, we're inclined
> to add such things to the installer and as of recent uploads, you'll
> find them included. We were actually planning on hardening these even
> more to require a minimum length, miminum number of character classes,
> no dictionary words, limited repeat characters or sequences. Check out
> the [manpage for pwquality.conf][0] for more on the many options
> available.
>
> However, we have at least [one complaint][1] already about this and it
> has us concerned whether or not we're being a little too heavy handed in
> these requirements. As you can see in our response, there is a
> workaround which one can easily accomplish by editing a config file and
> commenting out all the password section. Still, that wasn't sufficient
> to satisfy this particular individual, apparently.
>
> I still believe secure defaults make sense, especially as this tends to
> be the rule rather than the exception in the modern world. Everywhere
> you go, password requirements are there. However, I do not believe we
> (core development team) should be making these decisions alone. That
> said, what do you, the community think?
>
> [0]:
>
> https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod
> [1]: https://linuxrocks.online/@hil/100600128336751092
>
> --
>        @wxl | polka.bike
> C563 CAC5 8BE1 2F22 A49D
> 68F6 8B57 A48B C4F2 051A
>
> --
> Lubuntu-devel mailing list
> Lubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
>
> --
> Lubuntu-devel mailing list
> Lubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
> --
> Lubuntu-devel mailing list
> Lubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/lubuntu-devel/attachments/20180824/f2270cf5/attachment-0001.html>