Bug 1265331 - Password complexity is worthless and shouldn't be required
Password complexity is worthless and shouldn't be required
Status: CLOSED DUPLICATE of bug 1265066
Product: Bugzilla
Classification: Community
Component: User Accounts (Show other bugs)
4.4
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ---
: ---
Assigned To: PnT DevOps Devs
tools-bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 12:50 EDT by Joe Julian
Modified: 2015-09-25 00:06 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-25 00:06:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Julian 2015-09-22 12:50:18 EDT
Description of problem:
This morning when I logged in I had to change my password because it didn't meet complexity requirements. This is silly. Everyone knows that complexity < entropy[1]. In fact, when enforced complexity rules are in place, the difficulty in cracking passwords actually decreases[2].

This is a well enough known fact that ever xkcd has made a comic about it[3].

Version-Release number of selected component (if applicable):
4.4.9039-5


Steps to Reproduce:
1. Choose a very secure password of sufficient length to provide entropy that is effectively unhackable.


Actual results:
Password is rejected for not meeting complexity requirements.


Expected results:
Password is accepted.


Additional info:
[1] https://834e27ae-a-62cb3a1a-s-sites.googlegroups.com/site/reusablesec/Home/presentations-and-papers/CCS_Password_Metric_Measurement.pdf
[2] https://www.cs.utexas.edu/~tansey/passwords.pdf
[3] https://xkcd.com/936/
Comment 1 Jason McDonald 2015-09-25 00:06:28 EDT
Hi Joe,

The change in complexity requirements was made because a disturbingly high number of Bugzilla users with access to confidential data were found to have extremely weak passwords (e.g. six character dictionary words).  We decided to address that problem by increasing the lowest common denominator, on the theory that some complexity is better than none at all.  That has unfortunately inconvenienced some users who were already doing the right thing, and I apologise for that.

Your points above about complexity vs entropy are, of course, completely valid.  We are planning to restore the ability to use long passphrases via Bug 1265066.  You are welcome to provide feedback there if you have any further concerns.

*** This bug has been marked as a duplicate of bug 1265066 ***

Note You need to log in before you can comment on or make changes to this bug.