Ubuntu
ubiquity package

installers (both ubiquity and d-i) allow single character passwords and encryption passphrases.

Bug #656004 reported by Jeff Lane 
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
BEeN GRUBed
Invalid
Wishlist
Unassigned
ubiquity (Ubuntu)
Invalid
Wishlist
Unassigned
Natty
Won't Fix
Wishlist
Unassigned
Oneiric
Won't Fix
Wishlist
Unassigned
Ubuntu ubuntu-11.10

Bug Description

Binary package hint: ubiquity

It's never occurred to me until reading the warning in Kubuntu's installer but the installer's user info section warns that passwords have to be between 1 and 63 characters long.

I understand the need to make things easy for end users, however, allowing single character passwords is, IMHO a bit TOO lax and is a security risk. I was able to, using the Kubuntu installer, create a single letter password using the letter 'a'.

If that's going to be the policy, why do we even bother with passwords at all?

Tags: iso-testing
Jeff Lane  (bladernr)
visibility: private → public
Revision history for this message
Jeff Lane  (bladernr) wrote :

After completing my Kubuntu installation, I rebooted and logged in using my shiny new password 'a' and dropped to a shell. I tried changing my password via the passwd command, but the default policy there requires at least 6 chars, not 1 and also checks against a dictionary for simple passwords.

I also tried changing my password using the "Change Password" option in System Settings/Account Information and it too refused to allow me to set a single char password.

This is a BIG problem, IMO...

Ubuntu QA Website (ubuntuqa)
tags: added: iso-testing
Revision history for this message
Jeff Lane  (bladernr) wrote :

Tried one more thing and in the GUI it tells me that the password z1c3b5 is too simple... ??

Also, now confirmed that Ubiquity in both 64 and 32bit Kubuntu allow me to set single character passwords.

Revision history for this message
Jeff Lane  (bladernr) wrote :

Now confirmed that this behaviour also exists in 64bit Ubuntu Desktop. Though at least there I get a red warning that it's a "Short Password" where ubiquity in Kubuntu doesn't say anything.

Jeff Lane  (bladernr)
summary: - Ubiquity allows for rediculously easy passwords (tried in Kubuntu
+ Ubiquity allows for ridiculously easy passwords (tried in Kubuntu
installer)
summary: - Ubiquity allows for ridiculously easy passwords (tried in Kubuntu
- installer)
+ Ubiquity allows for ridiculously easy passwords while changing passwords
+ after install uses more sane defaults.
Revision history for this message
Jeff Lane  (bladernr) wrote : Re: Ubiquity allows for ridiculously easy passwords while changing passwords after install uses more sane defaults.

Now discovered that d-i allows me to set a single character passphrase for an encrypted lvm as well as also setting a single character password.

Wubi too... sigh... I supposed this is a design decision, but if so, IMO it's not necessarily a good one.

A: the policy is different between installer and running system
B: allowing single char passwords is just horribly insecure (though I must admit that with today's password/PIN filled world, guessing that a given user would have a single character password would be a stretch)

Robbie Williamson (robbiew)
Changed in ubiquity (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Evan (ev)
summary: - Ubiquity allows for ridiculously easy passwords while changing passwords
- after install uses more sane defaults.
+ Ubiquity KDE frontend allows single character passwords.
Jeff Lane  (bladernr)
summary: - Ubiquity KDE frontend allows single character passwords.
+ installers (both ubiquity and d-i) allow single character passwords and
+ encryption passphrases.
Colin Watson (cjwatson)
Changed in ubiquity (Ubuntu Natty):
milestone: none → natty-alpha-2
Revision history for this message
Colin Watson (cjwatson) wrote :

I realise the policy is slightly different, and ideally we'd run the password through PAM to see what it says, but unfortunately this isn't possible because the user doesn't exist yet when we're asking the question and so you can't ask PAM to set its password - we did look at this when implementing the "weak password" warnings in the installer and it wasn't feasible. Thus, the installer does its own checks.

In d-i, I have no problem with it being *possible* to force a weak passphrase in all the contexts you mention, although you should always get a warning dialog. Please confirm whether this was the case.

The other issues here seem to be:

 * Ubiquity's KDE frontend doesn't show password warnings
 * Wubi has no password checks
 * Perhaps some passwords should be rejected in Ubiquity rather than merely producing warnings

Changed in wubi:
status: New → Triaged
Changed in ubiquity (Ubuntu Natty):
status: Confirmed → Triaged
Changed in wubi:
importance: Undecided → Wishlist
Martin Pitt (pitti)
Changed in ubiquity (Ubuntu Natty):
milestone: natty-alpha-2 → natty-alpha-3
Revision history for this message
Martin Pitt (pitti) wrote :

No assignee, and wishlist, taking off the alpha-3 radar.

Changed in ubiquity (Ubuntu Natty):
milestone: natty-alpha-3 → none
Revision history for this message
AsstZD (eskaer-spamsink) wrote :

That's not installer's damned business which kind of password I want. Close it now.

Revision history for this message
Evan (ev) wrote :

AsstZD,

This is hardly the place to post opinions. Please refer to the Ubuntu Code of Conduct before continuing.

Revision history for this message
Evan (ev) wrote :

This isn't release critical for natty.

Changed in ubiquity (Ubuntu Natty):
status: Triaged → Won't Fix
Changed in ubiquity (Ubuntu):
milestone: none → ubuntu-11.10
Jamie Strandboge (jdstrand)
Changed in ubiquity (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
Changed in ubiquity (Ubuntu):
milestone: ubuntu-11.10 → none
Changed in ubiquity (Ubuntu Oneiric):
status: New → Triaged
Changed in ubiquity (Ubuntu):
status: Triaged → Invalid
Changed in ubiquity (Ubuntu Oneiric):
importance: Undecided → Wishlist
Revision history for this message
lilorphan3133@gmail.com (lilorphan3133-deactivatedaccount) wrote :

okey i dont know how to use the command or anything with lenux/.... my lil brother changed my opertating system from Windows to lenux... what is the Owner password to my lenux, the administrator passkey.... everything i need help... if yiou guys can do something from your end... i used to be able to upload google talk.... cant.... please if you can program my laptop back to its default system.... help

affects: wubi → been-grubed
Changed in been-grubed:
assignee: nobody → lilorphan3133@gmail.com (lilorphan3133)
Changed in ubiquity (Ubuntu Natty):
assignee: nobody → lilorphan3133@gmail.com (lilorphan3133)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ubiquity (Ubuntu Oneiric):
status: Triaged → Won't Fix
Jeff Lane  (bladernr)
Changed in been-grubed:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.