GNOME Bugzilla – Bug 702474
Odd password advice when entering a sequence of numbers
Last modified: 2013-07-30 14:01:00 UTC
When entering a sequence of numbers (123456) the password hint field initially reads "Try to add more characters". As you enter more numbers, it changes to "Try to avoid common words". It would be better if we could say "Try to avoid sequences of numbers" even when the number of characters is low. While numbers are technically characters, I think that most people think of numbers as numbers and characters as letters.
(In reply to comment #0) > When entering a sequence of numbers (123456) the password hint field initially > reads "Try to add more characters". As you enter more numbers, it changes to > "Try to avoid common words". > > It would be better if we could say "Try to avoid sequences of numbers" even > when the number of characters is low. That's a problem of libpwquality library which returns errors in its order and I can't simple write "Try to avoid sequences of numbers" from low count of characters, because the check for number of characters is earlier. However it is weird, why the library doesn't return PWQ_ERROR_MAX_SEQUENCE ("Try to avoid sequences like 1234 or abcd") instead of PWQ_ERROR_CRACKLIB_CHECK ("Try to avoid common words"). I'll check it... > While numbers are technically characters, I think that most people think of > numbers as numbers and characters as letters. So what about changing "Try to add more characters" to something like "Try to add more letters, numbers and symbols"?
(In reply to comment #1) > (In reply to comment #0) > > When entering a sequence of numbers (123456) the password hint field initially > > reads "Try to add more characters". As you enter more numbers, it changes to > > "Try to avoid common words". > > > > It would be better if we could say "Try to avoid sequences of numbers" even > > when the number of characters is low. > > That's a problem of libpwquality library which returns errors in its order and > I can't simple write "Try to avoid sequences of numbers" from low count of > characters, because the check for number of characters is earlier. Yeah. :( ... > > While numbers are technically characters, I think that most people think of > > numbers as numbers and characters as letters. > > So what about changing "Try to add more characters" to something like "Try to > add more letters, numbers and symbols"? Sounds good!
A minimal length of sequence isn't set by default in the libpwquality, so sequence checking is disabled. So we can set the value e.g. to 4 and the appropriate error "Try to avoid sequences like 1234 or abcd" will be shown. However I've found an error, which blocks setting the value currently, see https://bugzilla.redhat.com/show_bug.cgi?id=975429 .
Created attachment 247140 [details] [review] change password hint
Created attachment 247141 [details] [review] enable sequence checking I've found different way, how to set the PWQ_ERROR_MAX_SEQUENCE value to enable checking for character sequences...
(In reply to comment #5) > Created an attachment (id=247141) [details] [review] > enable sequence checking > > I've found different way, how to set the PWQ_ERROR_MAX_SEQUENCE value to enable > checking for character sequences... Nope, this is using also buggy pwquality_set_int_value, so the bug in libpwquality have to be fixed before...
(In reply to comment #6) > (In reply to comment #5) > > Created an attachment (id=247141) [details] [review] [details] [review] > > enable sequence checking > > > > I've found different way, how to set the PWQ_ERROR_MAX_SEQUENCE value to enable > > checking for character sequences... > > Nope, this is using also buggy pwquality_set_int_value, so the bug in > libpwquality have to be fixed before... The bug in libpwquality has been fixed https://bugzilla.redhat.com/show_bug.cgi?id=975429 , so the patch should work now...
Review of attachment 247141 [details] [review]: That looks good, but you should bump the libpwquality requirements as well, if this is a recent bug fix.
Created attachment 250460 [details] [review] bump libpwquality dependency
Review of attachment 250460 [details] [review]: Yes. You could have merged that in the original patch as well.
Created attachment 250462 [details] [review] enable sequence checking Set PWQ_ERROR_MAX_SEQUENCE using pwquality_set_int_value, because pwquality_set_option doesn't work for numbers... It is also merged with version bump patch.
Review of attachment 250462 [details] [review]: Yep.
Review of attachment 247140 [details] [review]: Looks good.