Newest Anaconda to enforce passwords
FedoraForum.org - Fedora Support Forums and Community
Page 1 of 3 1 2 3 LastLast
Results 1 to 15 of 41
  1. #1
    Join Date
    Jan 2010
    Posts
    7,752
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    Newest Anaconda to enforce passwords

    This Friday's build of Anaconda will no longer allow you to use weak
    passwords and click done twice. In order to promote more secureish
    default systems I have increased the password length required to 8
    characters and removed allowing weak (as defined by libpwquality)
    passwords.
    Just a heads up for those who use rawhide and have missed the announcement on the testing list.

  2. #2
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    7,155
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)

    Re: Newest Anaconda to enforce passwords

    Good move. I believe all OS should set a higher emphasis on the use of stronger passwords. Especially on accounts with root or admin rights.

    8 characters is still fairly weak unless you randomise a password from a mix of lowercase,uppercase,numeric and special characters. Then at least you'd have a modicum of password strength. I use minimum 16 when setting passwords.

    e.g. pineappl is 8 characters and about as much use as a chocolate fireguard.

    2Hu&1a%n is better.

    No actual passwords were harmed (that I'd use anyhow) in the making of this post...

  3. #3
    Join Date
    Feb 2012
    Location
    California
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    I think it totally sucks.

    This should be left up to the user -- maybe suggested but not enforced by the OS.

    The hours wasted by everyone who will use Fedora vs the select few who need such a policy does not justify it!

  4. #4
    Join Date
    Jun 2005
    Location
    Montreal, Québec, Canada
    Posts
    7,520
    Mentioned
    12 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    Quote Originally Posted by smr54
    Just a heads up for those who use rawhide and have missed the announcement on the testing list.
    What a shxxxy idea. Really. let me explain why I believe so and provide a better alternative solution.

    I use a Canadian French keyboard and corresponding layout. My after installation root passwords always contain one or more characters from

    é É È ô « » # € ¥ and even ¼ ½ ¾ and ¢

    On a second computer, I have the latam keyboard and use that layout (Latin American Spanish). I can include the inverted ! ? in addition to most of the previously listed characters.

    So, my practice has been to use 12345678 for a root password,only during installation, and on the first root login, to immediately change the root password to a more complex one.

    I do that « second password » change after I am certain that the virtual terminal layout is « ca » and the keyboard layout has been properly setup as the default.

    Many times from the command line, after a reboot, I had to run « localectl set-x11-keymap ca pc105 » so I could enable that Canadian French keyboard layout. However, if I used one of the above listed characters in a password during anaconda setup, and if the keyboard failed to be setup correctly (verify via ctl-alt-f2...ctl-alt-fn) some of my password characters cannot be entered at all, as a few of them are not available on the default « us pc105 » layout.

    What are my choices when the character can't be entered?

    a) reinstall using a simpler password. A few times I have followed this option.
    b) Use the emergency flash-drive image to boot the new Fedora release in order to recreate the passwords.
    c) use a simple password and change it to something more complex on first post installation login..
    d) While anaconda is running, enter terminal mode and run the passwd command for root.

    My ideal solution would be to enforce Linux's password expiry:
    Use Linux's ability to force a « password change » on a first login. In other words, allow the simple password and force the user (root, and/or admin and/or standard user) to install a new password on a first login. This password expiry method is a standard option with all Linux distributions.

    A second reason why it is a poor decision.

    Via command line, I can force any password I want for any user. I just ignore the warning message.

    I do not see any increase in security by choosing the method of password creation during an anaconda installation of Fedora. It will mean I have to learn to use 1234###abc as an anaconda root and admin passwords and I will change them at first login.

    Put your energies elsewhere, just insure any 8 characters from, pc105 layout.
    Last edited by lsatenstein; 31st January 2015 at 03:30 PM. Reason: Never write a rant at 1am in the morning
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

  5. #5
    Join Date
    Mar 2011
    Location
    /
    Posts
    5,259
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    To me personally, it's not a big deal. I have a "complex" password for all my test VMs ... the discussion on test@ has been very interesting nevertheless - which I have been following from the start.

  6. #6
    Join Date
    Aug 2011
    Location
    ~
    Posts
    2,060
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    So for my playground VMs I now need to first come up with some bogus hard to crack password before I can remove it again after installation.
    This is pure bull crap and not necessary at all since this is already enforced through non-root passwd and Gnome's user add/password management.
    Last edited by Dutchy; 3rd February 2015 at 01:54 PM. Reason: Grammar

  7. #7
    Join Date
    Mar 2011
    Location
    /
    Posts
    5,259
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    Quote Originally Posted by Dutchy
    So for my playground VMs I now need to first come up with some bogus hard to crack password before I can remove it again after installation.
    This is pure bull crap and not necessarily at all since this is already enforce through non-root passwd and Gnome's user add/password management.
    This is exactly what lot of people on test@ are also saying - and I do agree (even if it doesn't affect me). The reasons given for this change strike me as odd though ..

  8. #8
    Join Date
    Jan 2010
    Posts
    7,752
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    The one statement that does make sense is that it's because RedHat (and Fedora) allow root login by default through ssh. I'm not sure how most other systems deal with it, FreeBSD denies it by default, with OpenBSD, if you create a user during install, you're given the option of denying root ssh login. Ubuntu, OSX and friends don't create a root user.

    The general reaction has been negative. I mentioned it on the CentOS list too, because I'm a troll (my serious motive was that those who don't pay attention to Fedora things get shocked when they hit REHL and therefore CentOS), and the discussion there has been interesting too.

  9. #9
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    7,155
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
     I Change all my passwords to "incorrect". So whenever I forget, it says, "your password is incorrect". - steve carell ...

  10. #10
    Join Date
    Dec 2007
    Location
    Albuquerque, New Mexico USA
    Age
    69
    Posts
    161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    I'm opposed to this change as well. I'm the only person with access to this machine. What useful purpose is served by making me deal with a complex password?

  11. #11
    Join Date
    Nov 2007
    Posts
    22
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    I think this is an extremely bad idea. We do not need the nanny state in linux. This type of enforcement generally comes from people with a mistaken vision of their rights and duty and attempt to make everyone conform to their vision. We do not tolerate that attitude in our governments. Freedom is basically defined as the right to not obey.

  12. #12
    Join Date
    Jan 2010
    Posts
    7,752
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    I don't know what happens if ordinary users write the FESCo people. I know that on the list it was asked that they revert the change, and if they felt that strongly about it, request it through FESCo, but have no idea if one any individual (or individuals) can do the opposite, that is request through FESCo that it be reverted. When I asked on the list where one could complain, the testing list itself was given as a place to complain but despite almost universal disapproval, I haven't heard of it being reverted. The CentOS list who is now also aware of it, is almost universally against it too, and that list has lots of people who use it for a living.

    Maybe someone needs to submit it to slashdot, and, if it's ridiculed by most, as I would think it would be, that will convince them to change it, but frankly, I have no idea. As far as I see, (WARNING--NOT DEEPLY INVESTIGATED, QUITE POSSIBLY FUD), one person decided to do it, did it, announced it, and that was that

  13. #13
    Join Date
    Dec 2007
    Location
    Albuquerque, New Mexico USA
    Age
    69
    Posts
    161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    Quote Originally Posted by pugwash
    I think this is an extremely bad idea. We do not need the nanny state in linux. This type of enforcement generally comes from people with a mistaken vision of their rights and duty and attempt to make everyone conform to their vision. We do not tolerate that attitude in our governments. Freedom is basically defined as the right to not obey.
    Quite agree. Plus it will have a negative effect of motivating users who are content to put up with simple passwords to start logging in as root to avoid having to enter a complex password more than once a session. This is a bad idea all around.

  14. #14
    Join Date
    Jun 2005
    Location
    Montreal, Québec, Canada
    Posts
    7,520
    Mentioned
    12 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    Quote Originally Posted by Dutchy
    So for my playground VMs I now need to first come up with some bogus hard to crack password before I can remove it again after installation.
    This is pure bull crap and not necessary at all since this is already enforced through non-root passwd and Gnome's user add/password management.
    While anaconda is running, you can enter command line and set a password, or even add a third user. To return back to the GUI, only by ctl-alt-f6.

    (I tested this. It applies only to the linux that runs anaconda, and not to the target linux.
    Last edited by lsatenstein; 15th February 2015 at 08:01 AM.
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

  15. #15
    Join Date
    Oct 2014
    Location
    milky way
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Newest Anaconda to enforce passwords

    I am relatively new to Fedora since this past summer. Yet I have been using Linux based systems for more than a dozen years. I do not like this idea of password enforcement.

    While passwords limit non technical nosy people and prevent cats from rebooting a locked screen, passwords do not stop hard-core hackers or technically savvy users. Hacking into a user's account is as easy as using a live CD/USB. Or removing the hard drive and mounting in a different system. Without disk encryption passwords provide no serious protection outside of nominal defense at the keyboard.

    I understand the need for password support in an enterprise environment. In the home environment the usefulness of passwords is debatable. IT folks in an enterprise environment often install systems from cloned images, not from an installer and have their own in-house password policies that activate the first time a user logs in. Most users who install a fresh system using an installer are likely to be non enterprise users, likely home users.

    Adding password enforcement in the installer is like teaching cows to sing. A waste of time and the cows get irritated.

    Please do not add password enforcement.

Page 1 of 3 1 2 3 LastLast

Similar Threads

  1. Can't enter passwords into Anaconda.
    By lsatenstein in forum F21 Development Forum
    Replies: 0
    Last Post: 2nd December 2014, 12:29 AM
  2. Replies: 6
    Last Post: 30th December 2009, 09:11 AM
  3. Replies: 5
    Last Post: 17th January 2008, 07:14 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •