Bug#868869: debian-installer should not recommend to change password periodically (and more)

[Brian Potkin <claremont102@gmail.com>]

On Tue 25 Jul 2017 at 23:22:19 +0200, Philipp Kern wrote:

> On 07/24/2017 12:38 PM, Hideki Yamane wrote:
> >  But it also makes administrator to remember it harder as its trade-off...
> >  (and they maybe choose easy password as a result). It's a not good idea
> >  to suggests to change root password periodically, IMO. It's not a best
> >  practice.
> 
> I'd say it's one of two things: If it's easy, make sure to change it
> periodically. If it's hard enough to withstand brute-force, you don't
> need to.
> 
> As I said: I'm totally with you that in a standard setup it'd great for
> that not to be necessary. Unfortunately the standard setup does not ship
> with the mitigating controls.

Do you (or anyone else) change the locks on your car or front door
at regular intervals? This is really the gist of the OP's report.
Poor passwords stay poor. Good passwords do not deteriorate over
time, so why change them? (Periodically changing one poor password
for another poor password is an interesting idea).

The question has been asked before; #656509.

  Christian PERRIER says:

    Are you ready to handle the round of updates for over
    sixty languages, for a very debatable and cosmetic change?

    I am not, sorry.

  Cyril Brulebois says:

    Neither am I, so I'll just close this bug report for now.

It is a nice debating point but I am inclined to go along with this
assessment when it comes to the installer. Nobody takes any notice
of the advice anyway and there are far more important things to
attend to. Let this report suffer the same fate as the previous one,

-- 
Brian.