[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#868869: debian-installer should not recommend to change password periodically (and more)

Hi,

On Sun, 23 Jul 2017 10:49:53 +0200
Philipp Kern <pkern@debian.org> wrote:
> It seems to me that today at least the guidance of mixed
> character classes still makes some sense as a default, to avoid the most
> obvious blunder of just using a simple dictionary word and be
> compromised over SSH because password authentication is turned on.

 Okay, I agree with it.


> And change it to make brute force attacks harder.

 But it also makes administrator to remember it harder as its trade-off...
 (and they maybe choose easy password as a result). It's a not good idea
 to suggests to change root password periodically, IMO. It's not a best
 practice.


 1) Add password check feature whether password has an enough strength
    like RHEL's anaconda or SUSE's installer.
 2) Drop suggestion root password change periodically from message.

 is better.


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane
Reply to: