Re: PATCH: warn about, and deprecate, clear text passwords

On Fri, Jan 9, 2026 at 9:58 AM Greg Sabino Mullane <htamfids(at)gmail(dot)com> wrote:
> On Wed, Mar 19, 2025 at 11:01 AM Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
>>
>> One of the main reasons I'm not totally sold on a clear-text password warning is because we don't have
>> agreement on removing that ability anytime soon, not to mention Bruce's point about the debate extending into mid-March.
>
>
>
> Okay, we are now safely past last March :). Any further thoughts on this? My preference is still warn by default, but I could also be on board with ignore by default.
>
> Nathan, I'm not sure that having a concrete resolve to someday remove cleartext passwords should be a blocker to warning now that they are a bad idea, but open to discussion there.
>

But Is it a bad idea?In the case of md5, it was a bad idea, because we
were going to remove support for md5, so we knew that people who
clearly care about security were going to need to make a change to
*something*, and giving them a heads up was certainly a good idea
about that.

In the cleartext password case, if we aren't going to remove cleartext
passwords (and TBH, I really can't fathom that we would remove them
entirely), then the warning is just us having opinions about other
people's setup that we can't possibly be more informed about.

So I'm generally -1 on the idea of needing a warning and more so on
the idea it should be the default. And while I do think an option that
allows administrators to disable cleartext passwords seems potentially
useful, for all the gnashing of teeth about it, I don't see a lot of
adoption of things like https://github.com/HexaCluster/credcheck.

Robert Treat
https://xzilla.net