[lubuntu-devel] heavy handed password requirements?

Nio Wiklund nio.wiklund at gmail.com
Fri Aug 24 17:57:53 UTC 2018 

HI Lyn Perrine,

You describe how you think it will work. Please tell us what you want :-)

Best regards
Nio

Den 2018-08-24 kl. 19:52, skrev Lyn Perrine:
> Well I think if this is set to warn the current library in use wants 
> better passwords than say ubiquity would warn about about and even 
> rejects some currently ubiquity claims as strong for example test1234% 
> because it fails a dictionary test.
> 
> On Thu, Aug 23, 2018 at 10:23 PM Jan Holtman <oulik.jan at gmail.com 
> <mailto:oulik.jan at gmail.com>> wrote:
> 
>     Hello all
> 
>     Some people just cannot remember difficult passwords, they just cannot.
>     I understand that a very difficult password is better.
>     My suggestion is (like some websites do) get an indicator like red
>     with the wording not good at all, not good, average, very good and
>     excellent or something like that and colors going from red to green.
>     Maybe a popup when the level is red to orange telling a person why a
>     good password is important, but to enforce it - no.
>     What is the use of a person not be able to remember the password?
> 
>     Also it depends on what you use the machine for.
>     I have one all Dell SFF desktop computer which I use as an
>     entertainment center.
>     There a simple password is enough.
> 
>     So leave the choice up to the user but inform the user about how
>     important a password is, in a language that everybody can understand.
> 
> 
>     Met vriendelijke groet / Best regards,
> 
>     Jan Holtman
> 
>     oulik.jan at gmail.com <mailto:1%3Aoulik.jan at gmail.com>
> 
>     <mailto:2%3Ajan.holtman at live.com>
> 
> 
>     On Fri, Aug 24, 2018 at 12:37 AM Artemgy <launchpad at artmg.org
>     <mailto:launchpad at artmg.org>> wrote:
> 
>         __
>         Walter,
> 
>         +1 for notification ONLY not enforcement
> 
>         I agree with Bryan, Ian and Mark, that letting people see the
>         strength of their password adds value, but preventing them using
>         passwords below a strength that WE determine WITHOUT
>         understanding their use cases or needs is perhaps inappropriate.
>         Personally I use full disk encryption with very strong passwords
>         on my main Lubuntu PC(s), but I also use the distro as a basis
>         for a number of utility devices, some of which are shared or
>         kiosk style, and on these the non-admin account credential
>         checks would be considered weak or non-existent.
> 
>         If a distro developer sets the barrier too high then it risks
>         putting people off. Better to educate folk to make the
>         appropriate choice for their own needs.
> 
>         It's great that you ask for people's opinions on matters like
>         this, I just hope you don't feel burned by the bashlash :)
> 
>         </opinion>
>         Art
> 
>         ----- Original message -----
>         From: Mark F <azdays15 at gmail.com <mailto:azdays15 at gmail.com>>
>         To:
>         Cc: "lubuntu-devel" <lubuntu-devel at lists.ubuntu.com
>         <mailto:lubuntu-devel at lists.ubuntu.com>>
>         Subject: Re: [lubuntu-devel] heavy handed password requirements?
>         Date: Thu, 23 Aug 2018 14:50:09 -0700
> 
>         Walter,
> 
>         IMO, for casual home users, it seems a bit overbearing to
>         require cryptic passwords. I have a friend who only uses her
>         Lubuntu to play some games, surf the web, read email. I know
>         there's a risk of her laptop being stolen and someone getting
>         into any web accounts with "remembered" passwords. But, I think
>         the risk is that she'll forget a convoluted laptop password.
> 
>         I like how it is now. It gives us an idea of how strong the
>         password is using an indicator. But, we can choose an insecure
>         password if we wish.
> 
>         Mark
> 
>         On Thu, Aug 23, 2018 at 9:57 AM Walter Lapchynski
>         <wxl at ubuntu.com <mailto:wxl at ubuntu.com>> wrote:
> 
>             As 18.10 development continues, we find ourselves with
>             opportunities to
>             add in new features which weren't quite so easily
>             implemented before.
>             One of these things is the discovery that Calamares (our
>             installer)
>             supports a library called libpwquality that can enforce all
>             kinds of
>             great password requirements. Being security-minded folks,
>             we're inclined
>             to add such things to the installer and as of recent
>             uploads, you'll
>             find them included. We were actually planning on hardening
>             these even
>             more to require a minimum length, miminum number of
>             character classes,
>             no dictionary words, limited repeat characters or sequences.
>             Check out
>             the [manpage for pwquality.conf][0] for more on the many options
>             available.
> 
>             However, we have at least [one complaint][1] already about
>             this and it
>             has us concerned whether or not we're being a little too
>             heavy handed in
>             these requirements. As you can see in our response, there is a
>             workaround which one can easily accomplish by editing a
>             config file and
>             commenting out all the password section. Still, that wasn't
>             sufficient
>             to satisfy this particular individual, apparently.
> 
>             I still believe secure defaults make sense, especially as
>             this tends to
>             be the rule rather than the exception in the modern world.
>             Everywhere
>             you go, password requirements are there. However, I do not
>             believe we
>             (core development team) should be making these decisions
>             alone. That
>             said, what do you, the community think?
> 
>             [0]:
>             https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod
>             [1]: https://linuxrocks.online/@hil/100600128336751092
> 
>             -- 
>                     @wxl | polka.bike
>             C563 CAC5 8BE1 2F22 A49D
>             68F6 8B57 A48B C4F2 051A
> 
>             -- 
>             Lubuntu-devel mailing list
>             Lubuntu-devel at lists.ubuntu.com
>             <mailto:Lubuntu-devel at lists.ubuntu.com>
>             Modify settings or unsubscribe at:
>             https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
> 
>         --
>         Lubuntu-devel mailing list
>         Lubuntu-devel at lists.ubuntu.com
>         <mailto:Lubuntu-devel at lists.ubuntu.com>
>         Modify settings or unsubscribe at:
>         https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
>         -- 
>         Lubuntu-devel mailing list
>         Lubuntu-devel at lists.ubuntu.com
>         <mailto:Lubuntu-devel at lists.ubuntu.com>
>         Modify settings or unsubscribe at:
>         https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
> 
>     -- 
>     Lubuntu-devel mailing list
>     Lubuntu-devel at lists.ubuntu.com <mailto:Lubuntu-devel at lists.ubuntu.com>
>     Modify settings or unsubscribe at:
>     https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel
> 
> 
>

More information about the Lubuntu-devel mailing list