Hardened password requirements

Flavors Lubuntu
1

I just uploaded calamares-settings-ubuntu 1:25.04.12. This has the effect of creating user password requirements consistent with NIST recommendations in the Calamares installer. There is a checkbox the user can use to ignore these requirements. At that point, it will simply provide warnings.

https://launchpad.net/ubuntu/+source/calamares-settings-ubuntu/1:25.04.12

For those of you testing the dailies, this should be landing soon, so keep an eye out.

I’d love to hear feedback on what you think!

6 Likes
3

This finally migrated to release today (sheesh, armhf). So the next daily will have it, or you can upgrade your current daily.

I’d really like to hear feedback on this!!!

4 Likes
4

plucky-desktop-amd64.iso 2025-02-06 17:09

Is this the daily build you are referencing?

I do not see the checkbox and I also do not see anything mentioned about NIST requirements (though perhaps that is intentional?).

1 Like
5

Just FYI, but my download script also grabs the manifest file and shows package details from that (in a diff with my prior download… if I look at the output on a terminal)

The current daily contains (20250206)

calamares-settings-ubuntu-common	1:25.04.11

so I’d hope the next one.

NOTE: My used link contains current in its URL, so when a new ISO is generated it’ll show whatever is the current one…

1 Like
6

Am I taking from the right place?

Screenshot
Screenshot1516×799 80.5 KB

1 Like
7

Nothing wrong with where you got it from, what I pasted was from the current directory; but if you compare the data in the manifest file in the directory you examined; you’ll find the same data.

By examining Index of /lubuntu/daily-live you’ll note currently both places have the same (Last modified metadata showing in the directory is something you can look at*)

3 Likes
8

In other words, I/we wait for the next build to hopefully test the NIST feature.

Thanks!

1 Like
9

There’s no mention of NIST on the screen. Here’s an example of what you should see (this was posted on the Lubuntu Development room on Matrix so if you’re there, you’ve probably already seen it):

image
image1278×765 92.7 KB

I’m intentionally going to avoid explaining it because I want to see how easy it is to figure out.

As far as getting the package is concerned, first there’s the long wait for it to show up in the archives. It hit the release pocket when I sent that last message in but it took something like 4 hours for it to finally appear in the archives. That was weird. I don’t know what was up with that. I made that upload days ago but it took this long to even migrate to the release pocket because there was some sort of malfunction with the Launchpad armhf builders.

So right now, no matter what image you have, to get the update, you can run update and upgrade calamares-settings-lubuntu and run the installer and you’ll see it.

As far as what I mean by “next daily,” it’s important to consider the cdimage crontab. This will tell you when to expect an image, or at least when it will start building. You can see the relevant line for Lubuntu and Plucky is:

39 16 * * *	for-project lubuntu cron.daily-live --live

which means it starts building at 16:39 UTC time.

As I write this, it’s 8:19 UTC. Since that last post was 8h ago, then it was roughly at 00:19. Too early for a daily. It still is. Another 8 hours, at least. My memory is that it takes about 90 minutes for an image to build. So maybe by 18:00 you should have a new daily to test.

But like I said before, there’s no need to wait. Just update on the image you have.

5 Likes
10

Tested the daily from 06.02.2025 - ran update and then install and yes the “require strong passwords” box was present and prechecked … no problems encountered.

4 Likes
11

Thanks as always for the testing, Leo. What are your thoughts on it from a user experience? All made sense? Imagine you were the kind of person that loved to make all your passwords “password.” How would you feel about it?

1 Like
12

Thanks for asking…I think the only thing missing is some explanation as to what a “strong password” is and consists of. Regarding the user who just wants to use “password” he can easily remove the checkmark from the box so should be no problem.

2 Likes
13

Yeah I kind of agree with that. I mean, the explanation for a weak password is provided in the message to the right of the password entry fields. The problem is your password could have many reasons for being weak and so you have to you have to figure it out as you go. When I make passwords, I try to understand what the password requirements are before randomly generating one. Of course, I’m not really the target user here. I see this more to encourage less security-minded users to be a bit more secure.

The other way to look at this is considering the amount of effort it would take to explicitly spell out all of the requirements on the screen. Extensibly, I think this would require an entire redesign of the UI. The password field would almost need its own screen. Look at all the options to libpwquality and you’ll see what I mean.

1 Like
14

Agree about the complexity – the explantion of a weak password is good but would be better if it were more obvious to the less exerienced user.
i.e. if further to the text"require strong password" add “at least 8 characters with mixture of letters,numbers and punctuation”.

2 Likes
15

That’s the other problem: it’s more complicated than that. Use the following from upstream (which I based our settings on with one very minor change— no limit on length) with the above link the libpwquality and you’ll see what I mean:

# These are requirements the try to follow the suggestions from
#     https://pages.nist.gov/800-63-3/sp800-63b.html , "Digital Identity Guidelines".
# Note that requiring long and complex passwords has its own cost,
# because the user has to come up with one at install time.
# Setting 'allowWeakPasswords' to false and 'doAutologin' to false
# will require a strong password and prevent (graphical) login
# without the password. It is likely to be annoying for casual users.
#
# passwordRequirements:
#     minLength: 8
#     maxLength: 64
#     libpwquality:
#         - minlen=8
#         - maxrepeat=3
#         - maxsequence=3
#         - usersubstr=4
#         - badwords=linux
3 Likes
16

I also had a play with the latest update. The “strong passwords” box was pre-checked and everything worked as expected.

I did wonder what it was going to make of passphrases, but it seemed to work OK.

4 Likes
17

Hey thanks for checking that out! I really appreciate the feedback!! Especially now that you can actually boot into your machine :wink:

18

I’ve still not looked at it (I do see the package on the new daily; if I have time today I’ll peek, but today my priority is UWN/News), but if helpful, we can provide a paragraph in the release notes, it could even contain a link to this thread anyway (given a copy will exist on this site in fact instead of our old discourse it’ll likely be more noticeable too).

2 Likes
19

Not to disappoint you too much, but I did use a VM, and not my main rig. :slight_smile:

20

Oh yeah we’ll definitely do that!

As far as testing this is concerned, it’s more than sufficient! FWIW, though, you could use it on your main rig. Just, obviously, don’t start the installation.

3 Likes
21

@wxl I tested the latest daily build and like @irihapeti the box was pre-checked and it worked.

Please bear in mind that I am neither a dev or a programmer but here is one possible suggestion.

If the user unchecks the require strong passwords box, how about a pop-up dialog warning of the consequences of not using strong passwords?

I guess the pop-up box would have to include something like I understand the risks before they continue?

As before, this is something I would be happy to test and provide feedback for.

By they way, I am not a Lubuntu user but I do enjoy testing and helping when I can.

3 Likes