Enforcing password complexity for private keys
mgorny at gentoo.org
Tue Apr 30 19:51:57 CEST 2019
On Tue, 2019-04-30 at 13:40 -0400, David Milet wrote:
> Yes, we’re considering using smart cards or usb devices like Yubikey.
> Do those enforce password complexity?
> To answer suggestions in other replies, our developers are savvy enough, and we do have recurring training in place to stress the importance of good passwords. But we know also that some developers will choose the weakest password the system allows, making them the weakest link.
I dare say trying to enforce strong passwords via policy is usually
a bad idea. If you can't convince user to use and remember a good
password, trying to force it via policy usually results either in:
a. passwords being noted down on paper, phone, etc., or
b. passwords becoming more predictable.
I can't know whether your users would actually do that but it's not
uncommon problem that e.g. if you require password containing one digit
and one special character, you replace trivial passwords with trivial
passwords followed by '1!'.
More information about the Gnupg-users