GNOME Bugzilla – Bug 568218
Enforce keyring password strength
Last modified: 2009-04-28 01:28:07 UTC
It would be useful to be able to enforce keyring password strength. The attached patch does that. I did compile it, but not test it.
Created attachment 126720 [details] [review] Enforce keyring password strength in gnome-keyring This compiles, but was not otherwise tested.
Created attachment 126721 [details] [review] Enforce keyring password strength in gnome-keyring OOPS! Looks like that patch contained unrelated chaff.
Created attachment 126892 [details] [review] Enforce keyring password strength in gnome-keyring This patch was tested on F-10. Appears to work.
Hmmm. We may need to document what the 0.0 to 10.0 factors actually mean. Is there a succinct way to explain that? Otherwise it'd be confusing for someone trying to actually use the setting via gconf.
Yes, there is. The password score will be increased as follows: - for total length of 0, 1 and 2 characters by -0.2, -0.1 and 0.0 - for total length of 3, 4 and 5 (or more) characters by 0.1, 0.2 and 0.3 - for each digit (up to 3) by 0.1 - for each upper case letter (up to 3) by 0.1 - for each other character (up to 3) by 0.15
> - for each other character (up to 3) by 0.15 That should be: - for each special character (up to 3) by 0.15
I appreciate the effort you've put into this, but I believe that these metrics will be confusing. Usually password strength requirements are rule based and enforced at a low level, with password history and many other things. Implementing this properly will require far more code, and we'll also need to consider the other ways that passwords get into the system (APIs) etc...
The best thing to do here would be to plug the whole lot in the system password policy enforcement. In other words, run the password through PAM or something like that to see if strength requirements are met. Until we do that, may I suggest we keep the metrics I mentioned above in the gconf schema and tell users something like this in the manual: "Password length, number of upper case letters, digits and special characters in your password all contribute to its strength. Keep typing until the strength bar matches the required password strength." No maths there :-) As for APIs, we can fix them to obey password strength as well. Programs can already fetch required strength from gconf (so, the know where they need to be), we just need to enforce that.
Looks like there is no interest in this. Closing as WONTFIX.