Fedora revisits password policies

By Nathan Willis
April 8, 2015

The Fedora project is revising its stance on forcing users to select strong passwords, mere months after implementing a change that blocked weak-password creation in the Anaconda installer. Testers found the new approach more aggravating than helpful, so the old password-selection criteria will be put back in place for the upcoming Fedora 22 release, and the project will take a hard look at defining a more comprehensive password-security approach for Fedora 23.

As we covered in February, the root of the issue is the concern that, if left to their own devices, users will choose weak passwords that can easily be guessed or cracked. Some coaching about password strength, it was hoped, would push users toward stronger selections. The password chosen while setting up an account with Anaconda, after all, is not used just for desktop logins. A weak choice could expose the system to attack over SSH, and it goes without saying that a weak root password poses an even greater security risk than a weak password for a normal user account.

Thus, setting a higher bar for password strength in Anaconda would have additional benefits down the line. The actual change was made in January by Brian C. Lane. Rather than asking the user to verify their password choice with an additional click (as it used to), the installer would check the password provided and tell the user to choose a stronger one if it failed to meet the minimum length (eight characters) and complexity (assessed by libpwquality).

Even at the time that the Anaconda change was made, though, there were critics who argued that focusing on password strength was a mistake. The real goal is securing the Fedora machine against attack, the critics said, and that ought to involve—and perhaps start with—other steps (disallowing root logins over SSH, allowing only key-based SSH login, and so on). But the change went through nonetheless—it was, at least, quick to implement, whereas rethinking broader security policies would be quite time consuming.

By March, however, Fedora testers had gotten some time to work with the new Anaconda, and a number of them were not pleased with the change. A ticket was opened shortly after Lane's change asking the Fedora Engineering Steering Committee (FESCo) to "review it and advise the package developers". The ticket pointed to a forum thread where a number of users complained about ill effects of the change—such as making it more complicated to spin up a new virtual machine, difficulty in using the new password-checker with international keyboard layouts, and the general principle of not forcing behavior on the user.

Furthermore, Adam Williamson from the Fedora QA team commented that users found the libpwquality assessment of their passwords unusually stringent, which may not have been what the Anaconda team had intended. There were also several bugs filed about the new behavior and several mailing-list debates took place. FESCo initially deferred to the Anaconda team's decision, but after continued debate in the ticket comments, it agreed to discuss the matter in its March 4 meeting.

As the log from that meeting notes, FESCo concluded that it "would like Anaconda to turn back on the 'double-done' option for Fedora 22. Better solutions should be investigated for Fedora 23." Speaking on behalf of FESCo, Adam Jackson said that the committee "is prepared to work with Anaconda and other stakeholders to define security models for the various Fedora products. By clarifying our needs we hope to avoid this kind of contention in the future."

Reverting the Anaconda change was then designated a Fedora 22 beta blocker. Although the discussion continued, Anaconda's password checker was reverted back to its Fedora 21 behavior on April 4.

Jackson elaborated a bit on the decision in a follow-up email. He would have preferred, he said, for the various teams involved to have found a password-strength level that Anaconda and libpwquality could provide without exasperating users, but that did not happen. As a result, the decision facing FESCo was whether or not the change amounted to a regression from Fedora 21. Kevin Fenzi cited some other, more specific reasons for the decision, such as the fact that Anaconda would tell the user that their chosen password was bad, but would not explain why it was considered bad—nor how to fix it.

Ultimately, though, most participants in the discussion seemed to feel that the ideal solution would be to decide on a real, well-thought-out policy on password strength and security. What such a policy would look like has yet to be decided. Fenzi said that the best outcome would be a policy that encompassed not just Anaconda, but sshd, passwd, sudo, PolicyKit, and perhaps even device mapper and GNOME Keyring as well. Miloslav Trmač agreed, noting in particular that disk encryption warrants serious thought:

Real security is actually the minimum of (disk encryption password)*fuzz, (user account/screen lock password); with a fuzz factor accounting for the fact that disk encryption password can be broken off-line, at full speed, farming it out to thousands of machines, but a screen lock password needs to be typed (or perhaps brute-forced using a keyboard-mimicking USB device, still slower than full speed, and restricted to one guess at a time). The way we deploy LUKS, a single password guess takes one second on a comparable hardware, so the fuzz factor is not actually as large as it might seem.

A policy encompassing so many factors may take some time to devise. For example, Michael Catanzaro felt that Anaconda should stop doing account creation altogether, and leave that task up to a "first-run" tool. Such a separation of tasks might make the security-policy decision easier to handle, since it would allow the Fedora Server, Cloud, and Workstation product groups to each implement their own policy. Part of the problem with February's Anaconda password-creation change, after all, stemmed from the fact that cloud and desktop systems have a significantly different use case for user accounts.

While the debate on a project-wide password policy may take quite some time to reach a conclusion, work has progressed on changes to allow the different product teams to tune Anaconda's behavior. In March, Lane committed a change that will allow different Fedora products to specify different password-checking behavior in the Kickstart file. That will at least allow some different defaults settings to be deployed for different use cases.

Fenzi has started a draft policy page on the Fedora wiki, although it is largely blank at the moment. The last real attempt at devising any sort project-wide password-security policy was done for Fedora 17, so considerable differences should be expected. As for when the new policy will take shape, it is probably too early to say—the interest is there, but right now the focus is on getting Fedora 22 out the door. Expect to a more concerted effort once that is complete and everyone's attention turns to Fedora 23.

Index entries for this article
Security	Distribution security
Security	Passwords

Fedora revisits password policies

Posted Apr 9, 2015 8:40 UTC (Thu) by ibukanov (subscriber, #3942) [Link]

Indeed, Fedora tries to put a single policy when there are at least 3 kinds of passwords. Disk encryption requires really strong one due to off-line attacks, ssh with password authentication could be OK with less stronger one as long the login attempts are rate-limited and the lock screen could use a weak password as a bad guy with physical access to computer could use a cold boot or whatever attacks to extract encryption keys.

Fedora revisits password policies

Posted Apr 9, 2015 16:37 UTC (Thu) by mcatanzaro (subscriber, #93033) [Link] (4 responses)

"and it goes without saying that a weak root password poses an even greater security risk than a weak password for a normal user account."

Does it really? It certainly poses a greater security risk to other users on the same machine, but I would hardly be more concerned about an attacker that got root on my single-user workstation than I would be about an attacker who "merely" has access to my user account (able to read all of my private files and send them over the network).

And a stronger user account password would not make me more secure either: I have SSH disabled (as it is by default in Workstation) and am not concerned about the possibility of ninjas breaking into my apartment to steal my desktop.

Fedora revisits password policies

Posted Apr 9, 2015 23:43 UTC (Thu) by roblucid (guest, #48964) [Link] (3 responses)

root's an account guaranteed to exist, so a convenient target for password cracking; the user accounts names vary and (hopefully) are unknown. Traditional measures include preventing remote root logins, requiring login as normal user then an su(1), for this reason.

Once there's evidence of unwelcome shell access (or just unwanted programs) on a host though, one has in practice to assume root is cracked to.

Fedora revisits password policies

Posted Apr 10, 2015 5:41 UTC (Fri) by ncm (guest, #165) [Link] (2 responses)

Is it actually required that the root account be named "root"?

I wonder how much breadthwise security would be gained by renaming the root account, by default, distro-wide. Probably less than disabling root logins, or disabling root ssh logins, or disabling root ssh password logins; but if those choices were rejected, using a unique superuser account name seems pretty painless. Then any IP trying to log in as root could be added, automatically, to a firewall blacklist.

Fedora revisits password policies

Posted Apr 10, 2015 7:00 UTC (Fri) by dlang (guest, #313) [Link] (1 responses)

> Is it actually required that the root account be named "root"?

no (it's uid 0 that;s special), but if it's not you will end up with odd breakage due to tools that make that assumption. Not anything that couldn't be dealt with, but probably like tracking down the last of the bash->dash /bin/sh conversion issues.

I did it locally for a while, but finally decided it wasn't worth the hassle.

renamed root

Posted Apr 10, 2015 12:19 UTC (Fri) by robbe (guest, #16131) [Link]

What I have successfully deployed is:
* leave 'root' existing
* add another uid=0 account with a different name, say 'blarg'
* severely restrict login as 'root', but leave 'blarg' as open as you need to

This has almost all the benefits of renaming root, with less compatibility problems.

Fedora revisits password policies

Posted Apr 14, 2015 0:36 UTC (Tue) by nix (subscriber, #2304) [Link] (7 responses)

If "s@tYu9vb" is considered a "weak" password, libpwquality's algorithm is broken.

... except, of course, that when a password is vulnerable to offline attacks (as this one is not, but as disk passwords are), *any* password you can possibly remember is too weak, because of the sheer power of GPU-driven attacks. I'm using a yubikey in HMAC-SHA1 mode to generate my LUKS passphrases (with a different challenge for each encrypted volume), but I'm concerned that even *that* may be too weak, simply because it's unchanging, so an attacker could extract it from memory easily and then use it in a replay attack later on.

Fedora revisits password policies

Posted Apr 14, 2015 1:30 UTC (Tue) by Jonno (subscriber, #49613) [Link] (5 responses)

> ... except, of course, that when a password is vulnerable to offline attacks (as this one is not, but as disk passwords are), *any* password you can possibly remember is too weak

Not quite. While a "cryptographically strong" random-ASCII password is at least 19 items long [1] (i.e. "Q9yRW8j@=/N8RnYKstp9") and all but impossible to remember, a random-English password only have to be 7 items long [2] (i.e. "discount picture jimmy renegade exotica sublate cannulate"), and is quite possible to remember with some practice.

[1] 19*lg(95) = 124.8 bits; based on 95 printable characters in ASCII
[2] 7*lg(218000) = 124.1 bits; based on 218,000 words in the Oxford English Dictionary

Fedora revisits password policies

Posted Apr 14, 2015 7:55 UTC (Tue) by dgm (subscriber, #49227) [Link]

If you add missplells (say, "disconut") wich are very easy to remember, and/or add some second language you know (Klingon!) you can do with less tha n 7 words.

Fedora revisits password policies

Posted Apr 14, 2015 8:39 UTC (Tue) by NAR (subscriber, #1313) [Link] (2 responses)

What are the odds that you can actually type this 7 word password into a text box with no echo? Without making a typo?

Fedora revisits password policies

Posted Apr 14, 2015 10:28 UTC (Tue) by cesarb (subscriber, #6266) [Link] (1 responses)

> What are the odds that you can actually type this 7 word password into a text box with no echo? Without making a typo?

From my own experience, over 95% each time, and it takes only a few seconds to type. A bit less if your hands are not in the optimal position. It's mostly muscle memory.

Fedora revisits password policies

Posted Apr 14, 2015 21:20 UTC (Tue) by rodgerd (guest, #58896) [Link]

I learned a harsh lesson about muscle memory and passwords when I broke an arm a few years back. Lots of locked-out accounts.

Fedora revisits password policies

Posted Apr 18, 2015 0:22 UTC (Sat) by jspaleta (subscriber, #50639) [Link]

great... now I have to change my password AGAIN... now that you've posted it publicly... thanks..

Fedora revisits password policies

Posted Apr 17, 2015 22:42 UTC (Fri) by brunowolff (guest, #71160) [Link]

> *any* password you can possibly remember is too weak, because of the sheer power of GPU-driven attacks.

That is not true. As an experiment I started using a password with about 130 bits of entropy (20 random characters from a 93 character alphabet) for work. It wasn't that hard to remember with regular use. The main risk is not going to be offline guessing, but rather lots of other things, like entering it for the wrong account, having a camera placed near by, entering it on a compromised machine and probably lots of other things.