Bug#868869: debian-installer should not recommend to change password periodically (and more)

To: Philipp Kern <pkern@debian.org>, 868869@bugs.debian.org
Cc: Hideki Yamane <henrich@debian.or.jp>
Subject: Bug#868869: debian-installer should not recommend to change password periodically (and more)
From: Wouter Verhelst <wouter@debian.org>
Date: Wed, 26 Jul 2017 09:09:12 +0200
Message-id: <[🔎] 20170726070912.rm7oznf6ineoffur@grep.be>
Reply-to: Wouter Verhelst <wouter@debian.org>, 868869@bugs.debian.org
In-reply-to: <[🔎] 17916128-b09d-de3d-5b69-399821ca5250@debian.org>
References: <[🔎] 20170719202132.ca7f8b0707af70ddbee360c6@debian.or.jp> <[🔎] 5c93217d-7125-d539-74b0-fdca95d08a3d@debian.org> <[🔎] 20170724193801.7842252a00a119ec2190c441@debian.or.jp> <[🔎] 17916128-b09d-de3d-5b69-399821ca5250@debian.org>

On Tue, Jul 25, 2017 at 11:22:19PM +0200, Philipp Kern wrote:
> On 07/24/2017 12:38 PM, Hideki Yamane wrote:
> >  But it also makes administrator to remember it harder as its trade-off...
> >  (and they maybe choose easy password as a result). It's a not good idea
> >  to suggests to change root password periodically, IMO. It's not a best
> >  practice.
> 
> I'd say it's one of two things: If it's easy, make sure to change it
> periodically. If it's hard enough to withstand brute-force, you don't
> need to.

The problem with regular-change policies is that it *encourages* easy
passwords, since if you want to remember something generated by "pwgen
-s 15" or some such, it will take you quite a while to do so, and by
that time it may be time to renew it again.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
     Hacklab

Reply to:

References:
- Bug#868869: debian-installer should not recommend to change password periodically (and more)
  - From: Hideki Yamane <henrich@debian.or.jp>
- Bug#868869: debian-installer should not recommend to change password periodically (and more)
  - From: Philipp Kern <pkern@debian.org>
- Bug#868869: debian-installer should not recommend to change password periodically (and more)
  - From: Hideki Yamane <henrich@debian.or.jp>
- Bug#868869: debian-installer should not recommend to change password periodically (and more)
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: debootstrap_1.0.91_i386.changes ACCEPTED into unstable
Next by Date: Bug#868869: debian-installer should not recommend to change password periodically (and more)
Previous by thread: Bug#868869: debian-installer should not recommend to change password periodically (and more)
Next by thread: Bug#868869: debian-installer should not recommend to change password periodically (and more)
Index(es):
- Date
- Thread