Red Hat Bugzilla – Bug 1265331
Password complexity is worthless and shouldn't be required
Last modified: 2015-09-25 00:06:28 EDT
Description of problem:
This morning when I logged in I had to change my password because it didn't meet complexity requirements. This is silly. Everyone knows that complexity < entropy. In fact, when enforced complexity rules are in place, the difficulty in cracking passwords actually decreases.
This is a well enough known fact that ever xkcd has made a comic about it.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Choose a very secure password of sufficient length to provide entropy that is effectively unhackable.
Password is rejected for not meeting complexity requirements.
Password is accepted.
The change in complexity requirements was made because a disturbingly high number of Bugzilla users with access to confidential data were found to have extremely weak passwords (e.g. six character dictionary words). We decided to address that problem by increasing the lowest common denominator, on the theory that some complexity is better than none at all. That has unfortunately inconvenienced some users who were already doing the right thing, and I apologise for that.
Your points above about complexity vs entropy are, of course, completely valid. We are planning to restore the ability to use long passphrases via Bug 1265066. You are welcome to provide feedback there if you have any further concerns.
*** This bug has been marked as a duplicate of bug 1265066 ***