Hi,
On Sun, 23 Jul 2017 10:49:53 +0200
Philipp Kern <pkern@debian.org> wrote:
It seems to me that today at least the guidance of mixed
character classes still makes some sense as a default, to avoid the most
obvious blunder of just using a simple dictionary word and be
compromised over SSH because password authentication is turned on.
Okay, I agree with it.
And change it to make brute force attacks harder.
But it also makes administrator to remember it harder as its trade-off...
(and they maybe choose easy password as a result). It's a not good idea
to suggests to change root password periodically, IMO. It's not a best
practice.
1) Add password check feature whether password has an enough strength
like RHEL's anaconda or SUSE's installer.
2) Drop suggestion root password change periodically from message.
is better.