On Mon, Mar 9, 2015 at 6:53 PM, Björn Persson wrote:
> Nico Kadel-Garcia wrote:
>> I'm the guy that brought up the XKCD comic.
>
> I did it first. ;-)
>
>> The classic
>> storage is the Post-it note on the secretary's desk, but I see a lot
>> of people who should know better writing them into sour
On Tue, Mar 10, 2015 at 5:38 PM, Björn Persson wrote:
> In the hope of clearing up any
> misunderstandings I'll make these statements:
Thanks for the clarifications. My own clarification is that what I
wrote is directed "at large", not only to you personally. Usage of
"you" was intended to be pl
Björn Persson wrote:
> Kevin Kofler wrote:
> > The user surely knows better what a good password is than the
> > software does. If the user picks a crappy password, there's probably a good
> > reason.
>
> There are two possible reasons why you would say that. Either you
> haven't even looked at
On Tue, Mar 10, 2015 at 2:16 PM, Chris Murphy wrote:
> So why not a 25 character limit?
That's maybe confusing. Why not a 25 character minimum?
--
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: ht
On Tue, Mar 10, 2015 at 4:15 AM, Björn Persson wrote:
> Kevin Kofler wrote:
>> The user surely knows better what a good password is than the
>> software does. If the user picks a crappy password, there's probably a good
>> reason.
>
> There are two possible reasons why you would say that. Either y
On 10 Mar 2015, at 07:00, Matěj Cepl wrote:
On 2015-03-10, 10:15 GMT, Björn Persson wrote:
The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's
probably a good
reason.
There are two possible reasons why you would say tha
On 2015-03-10, 10:15 GMT, Björn Persson wrote:
>> The user surely knows better what a good password is than the
>> software does. If the user picks a crappy password, there's probably a good
>> reason.
>
> There are two possible reasons why you would say that. Either you
> haven't even looked at
Kevin Kofler wrote:
> The user surely knows better what a good password is than the
> software does. If the user picks a crappy password, there's probably a good
> reason.
There are two possible reasons why you would say that. Either you
haven't even looked at the Ars Technica articles that have
> Why not? The user surely knows better what a good password is than the
> software does. If the user picks a crappy password, there's probably a good
> reason.
You have an alarmingly naive understanding of our user base...
(not that *I* want to give up control of my passwords, but I'm not an
Mike Pinkerton wrote:
> I guess one response would be to give up any pretense of password
> quality checking, although I am not advocating that.
Why not? The user surely knows better what a good password is than the
software does. If the user picks a crappy password, there's probably a good
reas
On Mon, Mar 9, 2015 at 4:53 PM, Björn Persson wrote:
> Nico Kadel-Garcia wrote:
>> I'm the guy that brought up the XKCD comic.
>
> I did it first. ;-)
Sorry, I think it was adamw who referenced it on anaconda-devel@ over
a month ago when this topic first came up. :-D And I referenced it
again on
Nico Kadel-Garcia wrote:
> I'm the guy that brought up the XKCD comic.
I did it first. ;-)
> The classic
> storage is the Post-it note on the secretary's desk, but I see a lot
> of people who should know better writing them into source control
> systems that everyone in the company can read.
Or
On 03/06/2015 06:55 PM, Michael Catanzaro wrote:
> Well... yes, I suppose if you've left your computer on and locked, and
> the attacker wants to make sure you do not notice the reboot, or wants
> to get a RAM dump that would be lost when shut down (e.g. for my
> gnome-keyring passwords), then ther
Am 08.03.2015 um 17:24 schrieb Nico Kadel-Garcia:
There's also a counterproductive effect. Passwords that are enforced,
by policy, to be nonsensical gibberish tend to be written down,
because no one can remember them. And because no one can remember
them, they're written down in easily accessed
On 8 March 2015 at 08:41, Mike Pinkerton wrote:
>
>
>
> Ok, to bring this back around to where we started -- password quality
> checkers on Fedora:
>
> 1. By positing a "strategic" attacker, we have now reduced the time we
> expect it to take him/her to crack our 29 character password ("
> rasta
On Sun, Mar 8, 2015 at 8:44 AM, Björn Persson wrote:
> Mike Pinkerton wrote:
>> I was responding to Björn Persson's suggestion that, in discussions
>> of password quality, correcthorsebatterystaple would be an example of
>> a safe password.
>
> Safe_r_. Security in passphrases isn't a binary thing
On 7 Mar 2015, at 20:35, Stephen John Smoogen wrote:
On 7 March 2015 at 15:33, Mike Pinkerton
wrote:
On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:
On 7 March 2015 at 11:53, Mike Pinkerton
wrote:
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar
Mike Pinkerton wrote:
> I was responding to Björn Persson's suggestion that, in discussions
> of password quality, correcthorsebatterystaple would be an example of
> a safe password.
Safe_r_. Security in passphrases isn't a binary thing. XKCD 936
demonstrates that "correct horse battery staple
Mike Pinkerton wrote:
> On 7 Mar 2015, at 10:41, Björn Persson wrote:
> > Mike Pinkerton wrote:
> >> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
> >>> On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> I hope https://xkcd.com/936/ will be among the inputs to that
> discussion.
On 7 March 2015 at 15:33, Mike Pinkerton wrote:
>
> On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:
>
>
>>
>> On 7 March 2015 at 11:53, Mike Pinkerton wrote:
>>
>> On 7 Mar 2015, at 10:41, Björn Persson wrote:
>>
>> Mike Pinkerton wrote:
>> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
>>
On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:
On 7 March 2015 at 11:53, Mike Pinkerton
wrote:
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https:
On 7 March 2015 at 11:53, Mike Pinkerton wrote:
>
> On 7 Mar 2015, at 10:41, Björn Persson wrote:
>
> Mike Pinkerton wrote:
>>
>>> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
>>>
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> I hope https://xkcd.com/936/will be amon
On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality has not ye
On Fri, Mar 6, 2015 at 2:00 PM, Kevin Fenzi wrote:
> On Fri, 6 Mar 2015 10:52:34 -0500
> David Cantrell wrote:
>
>> From what I'm reading in the meeting logs and the ticket comments, it
>> appears the revert decision is basically a temporary solution and a
>> more formal security policy will be d
On 6 March 2015 at 22:58, Mike Pinkerton wrote:
>
> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
>
> On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
>>
>>>
>>> I hope https://xkcd.com/936/will be among the inputs to that
>>> discussion.
>>>
>>
>> I'm fond of noting that pwquality has
Michael Catanzaro wrote:
> On Fri, 2015-03-06 at 19:25 -0500, Miloslav Trmač wrote:
> > The way we deploy LUKS, a single password guess takes one second on a
> > comparable hardware, so the fuzz factor is not actually as large as it
> > might seem.
>
> Wow, I had no clue it was that good. OK, so
Mike Pinkerton wrote:
> On 6 Mar 2015, at 23:49, Adam Williamson wrote:
> > On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> >> I hope https://xkcd.com/936/will be among the inputs to that
> >> discussion.
> >
> > I'm fond of noting that pwquality has not yet blacklisted any variant
> > o
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality has not yet blacklisted any variant
of correcthorsebatterystaple. I've been usi
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
> Adam Jackson wrote:
> > > > FESCO is prepared to work with anaconda and other stakeholders
> > > > to define security models for the various Fedora products. By
> > > > clarifying our needs we hope to avoid this kind of contention
> > >
> I have no
> clue why VNC passwords are limited/truncated to eight characters, but it
> seems like that limitation makes the protocol not worth supporting at
> all, let alone worth promoting in System Settings.
The only VNC authentication mechanism standardized in RFC 6143 uses the
password as a
On 6 March 2015 at 19:13, Michael Catanzaro wrote:
> On Fri, 2015-03-06 at 19:35 -0500, Miloslav Trmač wrote:
>
> Eh, well by my logic they are both so closely-related that it's nonsense
> to treat them differently... but that comment was more a wishful
> "somebody please fix VNC or rewrite histo
On Fri, 2015-03-06 at 19:35 -0500, Miloslav Trmač wrote:
> There is another very important case where this falls down: the computer is
> enrolled into AD/IPA and the password is used throughout the organization.
> Just looking at a local machine does not necessarily tell you what the needed
> p
On Fri, 2015-03-06 at 19:25 -0500, Miloslav Trmač wrote:
> The way we deploy LUKS, a single password guess takes one second on a
> comparable hardware, so the fuzz factor is not actually as large as it might
> seem.
Wow, I had no clue it was that good. OK, so making one guess at the user
account
Hello,
> On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
> > * The workstation folks think this change could drive away some of
> > their potential users for not much gain. In their case, sshd is not
> > enabled/running and additional security for a device that sits in
> > your home isn
David Cantrell wrote:
> From what I'm reading in the meeting logs and the ticket comments, it
> appears the revert decision is basically a temporary solution and a more
> formal security policy will be discussed later. We had technical
> arguments in favor of the change originally, but I have yet
> On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
> > * The workstation folks think this change could drive away some of
> > their potential users for not much gain. In their case, sshd is not
> > enabled/running and additional security for a device that sits in
> > your home isn't wort
Hello,
> On Fri, Mar 06, 2015 at 09:43:33AM -0500, Adam Jackson wrote:
> > As resolved by FESCO in our meeting on 4 March 2015, FESCO requests that
> > anaconda revert a password behaviour change in the UI from F22,
> > restoring the "double-click to confirm weak password" behaviour from F21
> > an
Hi!
On Fri, 2015-03-06 at 23:01 +0100, Björn Persson wrote:
> or if the attacker snuck into your room when you left it to fetch some
> coffee, and needs to unlock your console, implant a backdoor and sneak
> back out before you return, or otherwise can't reboot your computer
> because you would no
On Fri, 2015-03-06 at 15:14 -0600, Michael Catanzaro wrote:
> On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
> > * The workstation folks think this change could drive away some of
> > their potential users for not much gain. In their case, sshd is not
> > enabled/running and additional s
Adam Jackson wrote:
> > > FESCO is prepared to work with anaconda and other stakeholders to define
> > > security models for the various Fedora products. By clarifying our
> > > needs we hope to avoid this kind of contention in the future.
> >
> > The discussion for this might as well start now
Michael Catanzaro wrote:
> If the attacker is unskilled and doesn't know how to boot a live image,
or if the attacker snuck into your room when you left it to fetch some
coffee, and needs to unlock your console, implant a backdoor and sneak
back out before you return, or otherwise can't reboot you
On Fri, 2015-03-06 at 12:00 -0700, Kevin Fenzi wrote:
> * The workstation folks think this change could drive away some of
> their potential users for not much gain. In their case, sshd is not
> enabled/running and additional security for a device that sits in
> your home isn't worth the addi
On Fri, 6 Mar 2015 10:52:34 -0500
David Cantrell wrote:
> From what I'm reading in the meeting logs and the ticket comments, it
> appears the revert decision is basically a temporary solution and a
> more formal security policy will be discussed later. We had
> technical arguments in favor of th
On Fri, 2015-03-06 at 10:52 -0500, David Cantrell wrote:
> I wish a formal distribution and/or per-variant security policy would come
> from FESCo (or a committee directed by FESCo) so we could resolve the
> concerns now and going forward. I don't see the revert decision as being a
> good step in
On Fri, Mar 06, 2015 at 09:43:33AM -0500, Adam Jackson wrote:
> As resolved by FESCO in our meeting on 4 March 2015, FESCO requests that
> anaconda revert a password behaviour change in the UI from F22,
> restoring the "double-click to confirm weak password" behaviour from F21
> and earlier.
From
As resolved by FESCO in our meeting on 4 March 2015, FESCO requests that
anaconda revert a password behaviour change in the UI from F22,
restoring the "double-click to confirm weak password" behaviour from F21
and earlier.
As for how that's realized: I'm not picky. If it makes more sense from
a d
46 matches
Mail list logo
