Bug 344217 - Minimum password is too long
Summary: Minimum password is too long
Status: RESOLVED FIXED
Alias: None
Product: user-manager
Classification: Plasma
Component: kcontrol module (show other bugs)
Version: 5.2.0
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Jonathan Riddell
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-16 02:25 UTC by Aleix Pol
Modified: 2019-06-27 11:59 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Aleix Pol 2015-02-16 02:25:12 UTC 
It asks me for 9 characters worth of password as minimum. I think it's a good recommendation to introduce good passwords, but I don't think we can require everyone to use such long passwords.

Reproducible: Always
Comment 1 Myriam Schweingruber 2015-02-17 02:52:11 UTC 
Sounds like a bad idea indeed, it should be to the users discretion to choose the password length. After all they are responsible for their own security.
Comment 2 Harald Sitter 2015-02-17 08:43:58 UTC 
https://fedorahosted.org/libpwquality/
one would think libraries are used by design and not by accident ;)
Comment 3 Aleix Pol 2015-02-17 10:23:42 UTC 
So it shouldn't?
Comment 4 Harald Sitter 2015-02-17 10:27:03 UTC 
Maybe.

pwquality is configurable via /etc/security/pwquality.conf though, so at the end this is probably nothing more than a distro level policy decision. alas, I suppose the default length requirement being that high doesn't help either.
Comment 5 Aleix Pol 2015-02-17 10:29:16 UTC 
Should we close this as downstream and report it somewhere in Kubuntu then?
Comment 6 Harald Sitter 2015-02-17 10:43:12 UTC 
Maybe :P

TLDR: design input needed on either 'should user-manager prevent the user from setting a weak password' or 'should user-manager only display a warning when trying to set a weak password but allow setting it all the same'.

I doubt it's going to be changed in debian/ubuntu for no better reason than longer passwords being better and pwquality being used by the gnome and unity counterparts with the existing settings and no one claimed about those.
IMO this needs some design input first regardless though. Either we want user-manager to be very secure or very convenient. The decision that you can not set a weak password is very much one made in user-manager. All pwquality does is evaluate whether a password is meeting the configured quality criteria; user-manager is the one preventing you from using a crappy password.

(personally I'd favor informing the user about the weakness and letting them use it anyway)
Comment 7 Aleix Pol 2015-02-17 22:30:05 UTC 
I agree this would be a good compromise.
Comment 8 Filip Fila 2019-06-26 15:30:22 UTC 
I'm able to set the worst of passwords so there is no required minimum length (only a recommended one). Can we close this report?
Comment 9 Harald Sitter 2019-06-27 10:38:40 UTC 
Well, I can't reproduce it. And looking at the code it certainly doesn't seem to enforce the quality anymore (even when pwquality says it should enforce it, which technically I guess is another bug ;))
Comment 10 Harald Sitter 2019-06-27 11:59:24 UTC 
As it turns out pwquality does in fact default to enforcement on, so honoring enforcement would in fact bring back this bug. So let's ignore this technicality and leave things as they are.