Bug 1265331

Summary: Password complexity is worthless and shouldn't be required
Product: [Community] Bugzilla Reporter: Joe Julian <joe>
Component: User AccountsAssignee: PnT DevOps Devs <hss-ied-bugs>
Status: CLOSED DUPLICATE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.4CC: jmcdonal, mtahir, qgong, xiawu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-25 04:06:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Julian 2015-09-22 16:50:18 UTC 
Description of problem:
This morning when I logged in I had to change my password because it didn't meet complexity requirements. This is silly. Everyone knows that complexity < entropy[1]. In fact, when enforced complexity rules are in place, the difficulty in cracking passwords actually decreases[2].

This is a well enough known fact that ever xkcd has made a comic about it[3].

Version-Release number of selected component (if applicable):
4.4.9039-5


Steps to Reproduce:
1. Choose a very secure password of sufficient length to provide entropy that is effectively unhackable.


Actual results:
Password is rejected for not meeting complexity requirements.


Expected results:
Password is accepted.


Additional info:
[1] https://834e27ae-a-62cb3a1a-s-sites.googlegroups.com/site/reusablesec/Home/presentations-and-papers/CCS_Password_Metric_Measurement.pdf
[2] https://www.cs.utexas.edu/~tansey/passwords.pdf
[3] https://xkcd.com/936/
Comment 1 Jason McDonald 2015-09-25 04:06:28 UTC 
Hi Joe,

The change in complexity requirements was made because a disturbingly high number of Bugzilla users with access to confidential data were found to have extremely weak passwords (e.g. six character dictionary words).  We decided to address that problem by increasing the lowest common denominator, on the theory that some complexity is better than none at all.  That has unfortunately inconvenienced some users who were already doing the right thing, and I apologise for that.

Your points above about complexity vs entropy are, of course, completely valid.  We are planning to restore the ability to use long passphrases via Bug 1265066.  You are welcome to provide feedback there if you have any further concerns.

*** This bug has been marked as a duplicate of bug 1265066 ***