Bug#868869: debian-installer should not recommend to change password periodically (and more)

[Brian Potkin <claremont102@gmail.com>]

On Wed 26 Jul 2017 at 17:00:12 +0100, Miguel Figueiredo wrote:

> On 24-07-2017 11:38, Hideki Yamane wrote:
> >Hi,
> >
> >On Sun, 23 Jul 2017 10:49:53 +0200
> >Philipp Kern <pkern@debian.org> wrote:
> >>It seems to me that today at least the guidance of mixed
> >>character classes still makes some sense as a default, to avoid the most
> >>obvious blunder of just using a simple dictionary word and be
> >>compromised over SSH because password authentication is turned on.
> >
> >  Okay, I agree with it.
> >
> >>And change it to make brute force attacks harder.
> >
> >  But it also makes administrator to remember it harder as its trade-off...
> >  (and they maybe choose easy password as a result). It's a not good idea
> >  to suggests to change root password periodically, IMO. It's not a best
> >  practice.
> >
> >  1) Add password check feature whether password has an enough strength
> >     like RHEL's anaconda or SUSE's installer.
> >  2) Drop suggestion root password change periodically from message.
> >
> >  is better.
> 
> We have libpam-passwqc on the archive, which it's a "Password
> quality-control PAM module".
> I think it addresses the point of checking the password strength.

It possibly does, but isn't it more suitable as a solution to
#854653 or #364526 rather than this bug (changing a password at
periodic intervals, no matter how strong it is)?

-- 
Brian.