On 07/19/2017 01:21 PM, Hideki Yamane wrote: >>> A good password will contain a mixture of letters, numbers and punctuation >>> and should be changed at regular intervals. > > Now debian-installer recommends to change root password periodically, however, > nowadays it SHOULD NOT. e.g. NIST publishes Digital Identity Guidelines, > in "5.1.1.2 Memorized Secret Verifiers" it says > >> Verifiers SHOULD NOT impose other composition rules (e.g., requiring >> mixtures of different character types or prohibiting consecutively >> repeated characters) for memorized secrets. Verifiers SHOULD NOT >> require memorized secrets to be changed arbitrarily (e.g., periodically). > > see https://pages.nist.gov/800-63-3/sp800-63b.html > > We should follow it to provide secure environment for users, at least. > Patch attached. While I agree with the gist of your message, I don't think picking out single points out of guidelines to make an isolated point is fair to these guidelines. They make a point in aggregate. For instance if you allow easily guessable passwords, you need at least sensible rate limiting in place (e.g. 5.2.2 - "When required by the authenticator type descriptions in Section 5.1, the verifier SHALL implement controls to protect against online guessing attacks."). I think something around security needs being different from context to context and depending on that deciding on a password shape could make sense. It seems to me that today at least the guidance of mixed character classes still makes some sense as a default, to avoid the most obvious blunder of just using a simple dictionary word and be compromised over SSH because password authentication is turned on. And change it to make brute force attacks harder. Of course in any kind of company context I would despise *rules* (which this comment is not - it's just a suggestion) because they lower security. Kind regards Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature