macpijan
commented
7 months ago Mandatory XKCD: https://xkcd.com/936/
Closed mkopec closed 5 days ago
macpijan
commented
7 months ago Mandatory XKCD: https://xkcd.com/936/
miczyg1
commented
7 months ago Not understanding the value of security, or being lazy, should never be a reason to weaken the security.
Personally, to make the password more memorable, I use $ instead of S or 3 instead of E or @ instead of a in casual words.
Secondly how often an average person needs to enter BIOS? Most likely the frequency is high right after buying the HW. But when settings are settled, one almost never enters BIOS setup. The password may be enrolled when one decides on the set of settings.
Even better idea: remove the setup password if the presence of such option causes such willingness to abuse its use.
mkopec
commented
7 months ago And now we know which characters to include in the dictionary when bruteforcing your passwords ;)
miczyg1
commented
7 months ago And now we know which characters to include in the dictionary when bruteforcing your passwords ;)
Good luck. Except that I mainly use the generated passphrases from bitwarden-like apps
But in case like these where you need to memorize something, It may be good. And I just gave a few examples. There are more symbol I use, not necessarily in place of regular characters in words
Anyway, don't forget to send me a ransom, when you get to my bank account.
mkopec
commented
7 months ago I guess I'll need to look for peer-reviewed studies showing the impact of password requirements here to show my point.
macpijan
commented
7 months ago Password policy is very common topic, we should just look at existing standards, here are some references: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls
Maybe we should change the title of the issue to less-triggerring one, like "Propose password policy based on current standards" ;)
pietrushnic
commented
7 months ago Not understanding the value of security, or being lazy, should never be a reason to weaken the security.
miczyg1
commented
7 months ago Not understanding the value of security, or being lazy, should never be a reason to weaken the security.
Sounds like something that can be applied to anything. So be it.
miczyg1
commented
6 months ago Just for reference, AMI:
pietrushnic
commented
6 months ago I guess this is an antipattern we should not follow.
rafkoch
commented
3 months ago When is this issue planned to be implemented, i.e. when will Dasharo accept passphrases as USER or ADMIN password?
macpijan
commented
3 weeks ago @BeataZdunczyk That should be not that difficult change, can we plan to include in the next releases?
philipandag
commented
1 week ago Working on the issue here: https://github.com/Dasharo/edk2/pull/152 https://github.com/Dasharo/docs/pull/857
philipandag
commented
5 days ago https://github.com/Dasharo/edk2/pull/152 https://github.com/Dasharo/docs/pull/857 PRs are merged, closing the issue.
The problem you're addressing (if any)
The current password requirements are very strict and won't allow someone to use passphrases (because you need uppercase, lowercase, special, numeric, symbol(?) characters
It has been shown that strict password requirements cause people to re-use their passwords or use shorter ones because they simply can't remember so many complex strings of text, making their overall security lower: https://www.enzoic.com/blog/the-benefits-and-drawbacks-of-password-complexity-rules/
Describe the solution you'd like
Remove or loosen the password requirements
Where is the value to a user, and who might that user be?
People who use passphrases People who are okay with using less secure passwords
Describe alternatives you've considered
FIDO2 auth in setup menu?
Additional context
https://neal.fun/password-game/
The password requirement code was imported completely from edk2-platforms without much thought if we want to actually have these requirements