Propose password policy based on current standards

[mkopec]

The problem you're addressing (if any)

The current password requirements are very strict and won't allow someone to use passphrases (because you need uppercase, lowercase, special, numeric, symbol(?) characters

It has been shown that strict password requirements cause people to re-use their passwords or use shorter ones because they simply can't remember so many complex strings of text, making their overall security lower: https://www.enzoic.com/blog/the-benefits-and-drawbacks-of-password-complexity-rules/

Describe the solution you'd like

Remove or loosen the password requirements

Where is the value to a user, and who might that user be?

People who use passphrases
People who are okay with using less secure passwords

Describe alternatives you've considered

FIDO2 auth in setup menu?

Additional context

https://neal.fun/password-game/

The password requirement code was imported completely from edk2-platforms without much thought if we want to actually have these requirements

[macpijan]

Mandatory XKCD: https://xkcd.com/936/

[miczyg1]

Not understanding the value of security, or being lazy, should never be a reason to weaken the security.

Personally, to make the password more memorable, I use $ instead of S or 3 instead of E or @ instead of a in casual words.

Secondly how often an average person needs to enter BIOS? Most likely the frequency is high right after buying the HW. But when settings are settled, one almost never enters BIOS setup. The password may be enrolled when one decides on the set of settings.

Even better idea: remove the setup password if the presence of such option causes such willingness to abuse its use.

[mkopec]

And now we know which characters to include in the dictionary when bruteforcing your passwords ;)

[miczyg1]

And now we know which characters to include in the dictionary when bruteforcing your passwords ;)

Good luck. Except that I mainly use the generated passphrases from bitwarden-like apps

But in case like these where you need to memorize something, It may be good. And I just gave a few examples. There are more symbol I use, not necessarily in place of regular characters in words

Anyway, don't forget to send me a ransom, when you get to my bank account.

[mkopec]

I guess I'll need to look for peer-reviewed studies showing the impact of password requirements here to show my point.

[macpijan]

Password policy is very common topic, we should just look at existing standards, here are some references: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls

Maybe we should change the title of the issue to less-triggerring one, like "Propose password policy based on current standards" ;)

[pietrushnic]

Not understanding the value of security, or being lazy, should never be a reason to weaken the security.

https://en.wikipedia.org/wiki/False_consensus_effect

[miczyg1]

Not understanding the value of security, or being lazy, should never be a reason to weaken the security.

https://en.wikipedia.org/wiki/False_consensus_effect

Sounds like something that can be applied to anything. So be it.

[miczyg1]

Just for reference, AMI:

[pietrushnic]

I guess this is an antipattern we should not follow.

[rafkoch]

When is this issue planned to be implemented, i.e. when will Dasharo accept passphrases as USER or ADMIN password?

[macpijan]

@BeataZdunczyk That should be not that difficult change, can we plan to include in the next releases?

[philipandag]

Working on the issue here:
Dasharo/edk2#152
Dasharo/docs#857

[philipandag]

Dasharo/edk2#152
Dasharo/docs#857
PRs are merged, closing the issue.