<div dir="ltr"><div>Hello all</div><div><br></div><div>Some people just cannot remember difficult passwords, they just cannot.</div><div>I understand that a very difficult password is better.</div><div>My suggestion is (like some websites do) get an indicator like red with the wording not good at all, not good, average, very good and excellent or something like that and colors going from red to green.</div><div>Maybe a popup when the level is red to orange telling a person why a good password is important, but to enforce it - no.</div><div>What is the use of a person not be able to remember the password?</div><div><br></div><div>Also it depends on what you use the machine for.</div><div>I have one all Dell SFF desktop computer which I use as an entertainment center.</div><div>There a simple password is enough.</div><div><br></div><div>So leave the choice up to the user but inform the user about how important a password is, in a language that everybody can understand.</div><div><br></div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div>Met vriendelijke groet / Best regards,<br><br>Jan Holtman<br><br><a href="mailto:1%3Aoulik.jan@gmail.com" target="_blank">oulik.jan@gmail.com</a><br><br><a href="mailto:2%3Ajan.holtman@live.com" target="_blank"></a></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 24, 2018 at 12:37 AM Artemgy <<a href="mailto:launchpad@artmg.org">launchpad@artmg.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u> <div><div style="font-family:Tahoma">Walter, <br></div> <div style="font-family:Tahoma"><br></div> <div style="font-family:Tahoma">+1 for notification ONLY not enforcement<br></div> <div><br></div> <div style="font-family:Tahoma">I agree with Bryan, Ian and Mark, that letting people see the strength of their password adds value, but preventing them using passwords below a strength that WE determine WITHOUT understanding their use cases or needs is perhaps inappropriate. Personally I use full disk encryption with very strong passwords on my main Lubuntu PC(s), but I also use the distro as a basis for a number of utility devices, some of which are shared or kiosk style, and on these the non-admin account credential checks would be considered weak or non-existent.<br></div> <div style="font-family:Tahoma"><br></div> <div style="font-family:Tahoma">If a distro developer sets the barrier too high then it risks putting people off. Better to educate folk to make the appropriate choice for their own needs.<br></div> <div style="font-family:Tahoma"><br></div> <div style="font-family:Tahoma">It's great that you ask for people's opinions on matters like this, I just hope you don't feel burned by the bashlash :)<br></div> <div style="font-family:Tahoma"><br></div> <div style="font-family:Tahoma"></opinion><br></div> <div style="font-family:Tahoma">Art<br></div> <div><br></div> <div>----- Original message -----<br></div> <div>From: Mark F <<a href="mailto:azdays15@gmail.com" target="_blank">azdays15@gmail.com</a>><br></div> <div>To:<br></div> <div>Cc: "lubuntu-devel" <<a href="mailto:lubuntu-devel@lists.ubuntu.com" target="_blank">lubuntu-devel@lists.ubuntu.com</a>><br></div> <div>Subject: Re: [lubuntu-devel] heavy handed password requirements?<br></div> <div>Date: Thu, 23 Aug 2018 14:50:09 -0700<br></div> <div><br></div> <div dir="ltr"><div>Walter,<br></div> <div><br></div> <div style="font-family:Tahoma">IMO, for casual home users, it seems a bit overbearing to require cryptic passwords. I have a friend who only uses her Lubuntu to play some games, surf the web, read email. I know there's a risk of her laptop being stolen and someone getting into any web accounts with "remembered" passwords. But, I think the risk is that she'll forget a convoluted laptop password. <br></div> <div><br></div> <div>I like how it is now. It gives us an idea of how strong the password is using an indicator. But, we can choose an insecure password if we wish.<br></div> <div><br></div> <div>Mark<br></div> </div> <div style="font-family:Tahoma"><br></div> <div><div dir="ltr">On Thu, Aug 23, 2018 at 9:57 AM Walter Lapchynski <<a href="mailto:wxl@ubuntu.com" target="_blank">wxl@ubuntu.com</a>> wrote:<br></div> <blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-color:rgb(204,204,204);border-left-style:solid;border-left-width:1px;padding-left:1ex"><div style="font-family:Tahoma">As 18.10 development continues, we find ourselves with opportunities to<br></div> <div style="font-family:Tahoma"> add in new features which weren't quite so easily implemented before.<br></div> <div style="font-family:Tahoma"> One of these things is the discovery that Calamares (our installer)<br></div> <div style="font-family:Tahoma"> supports a library called libpwquality that can enforce all kinds of<br></div> <div style="font-family:Tahoma"> great password requirements. Being security-minded folks, we're inclined<br></div> <div style="font-family:Tahoma"> to add such things to the installer and as of recent uploads, you'll<br></div> <div style="font-family:Tahoma"> find them included. We were actually planning on hardening these even<br></div> <div style="font-family:Tahoma"> more to require a minimum length, miminum number of character classes,<br></div> <div style="font-family:Tahoma"> no dictionary words, limited repeat characters or sequences. Check out<br></div> <div style="font-family:Tahoma"> the [manpage for pwquality.conf][0] for more on the many options<br></div> <div style="font-family:Tahoma"> available.<br></div> <div style="font-family:Tahoma"> <br></div> <div style="font-family:Tahoma"> However, we have at least [one complaint][1] already about this and it<br></div> <div style="font-family:Tahoma"> has us concerned whether or not we're being a little too heavy handed in<br></div> <div style="font-family:Tahoma"> these requirements. As you can see in our response, there is a<br></div> <div style="font-family:Tahoma"> workaround which one can easily accomplish by editing a config file and<br></div> <div style="font-family:Tahoma"> commenting out all the password section. Still, that wasn't sufficient<br></div> <div style="font-family:Tahoma"> to satisfy this particular individual, apparently.<br></div> <div style="font-family:Tahoma"> <br></div> <div style="font-family:Tahoma"> I still believe secure defaults make sense, especially as this tends to<br></div> <div style="font-family:Tahoma"> be the rule rather than the exception in the modern world. Everywhere<br></div> <div style="font-family:Tahoma"> you go, password requirements are there. However, I do not believe we<br></div> <div style="font-family:Tahoma"> (core development team) should be making these decisions alone. That<br></div> <div style="font-family:Tahoma"> said, what do you, the community think?<br></div> <div style="font-family:Tahoma"> <br></div> <div style="font-family:Tahoma"> [0]:<br></div> <div style="font-family:Tahoma"> <a href="https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod" target="_blank">https://github.com/libpwquality/libpwquality/blob/master/doc/man/pwquality.conf.5.pod</a><br></div> <div style="font-family:Tahoma"> [1]: <a href="https://linuxrocks.online/@hil/100600128336751092" target="_blank">https://linuxrocks.online/@hil/100600128336751092</a><br></div> <div style="font-family:Tahoma"> <br></div> <div style="font-family:Tahoma"> -- <br></div> <div style="font-family:Tahoma"> @wxl | polka.bike<br></div> <div style="font-family:Tahoma"> C563 CAC5 8BE1 2F22 A49D <br></div> <div style="font-family:Tahoma"> 68F6 8B57 A48B C4F2 051A<br></div> <div style="font-family:Tahoma"> <br></div> <div style="font-family:Tahoma"> -- <br></div> <div style="font-family:Tahoma"> Lubuntu-devel mailing list<br></div> <div style="font-family:Tahoma"> <a href="mailto:Lubuntu-devel@lists.ubuntu.com" target="_blank">Lubuntu-devel@lists.ubuntu.com</a><br></div> <div style="font-family:Tahoma"> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel" target="_blank">https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel</a><br></div> </blockquote></div> <div>--<br></div> <div>Lubuntu-devel mailing list<br></div> <div><a href="mailto:Lubuntu-devel@lists.ubuntu.com" target="_blank">Lubuntu-devel@lists.ubuntu.com</a><br></div> <div>Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel" target="_blank">https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel</a><br></div> </div> -- <br> Lubuntu-devel mailing list<br> <a href="mailto:Lubuntu-devel@lists.ubuntu.com" target="_blank">Lubuntu-devel@lists.ubuntu.com</a><br> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/lubuntu-devel</a><br> </blockquote></div>