Bug#1064617: Passwords should not be changed frequently
Package: debian-installer
I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image. I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently. This is no longer current good advice
(since 2017):
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
(e.g., periodically). However, verifiers SHALL force a change if there
is evidence of compromise of the authenticator."
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
I happen to like their suggestion of providing a password-strength meter,
but that would be a separate bug. This bug is simply a request to remove
this outdated suggestion text from d-i.
Reply to: