Bug#1064617: Passwords should not be changed frequently

To: submit@bugs.debian.org
Subject: Bug#1064617: Passwords should not be changed frequently
From: Matthew Wilcox <willy@infradead.org>
Date: Sun, 25 Feb 2024 00:17:14 +0000
Message-id: <[🔎] ZdqHClFcZ8O2rWJy@casper.infradead.org>
Reply-to: Matthew Wilcox <willy@infradead.org>, 1064617@bugs.debian.org

Package: debian-installer

I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image.  I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently.  This is no longer current good advice
(since 2017):

 "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
 (e.g., periodically).  However, verifiers SHALL force a change if there
 is evidence of compromise of the authenticator."

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

I happen to like their suggestion of providing a password-strength meter,
but that would be a separate bug.  This bug is simply a request to remove
this outdated suggestion text from d-i.

Reply to:

Follow-Ups:
- Bug#1064617: Passwords should not be changed frequently
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5
Next by Date: Bug#1064624: Hard to short-stroke an encrypted drive
Previous by thread: Re: Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5
Next by thread: Bug#1064617: Passwords should not be changed frequently
Index(es):
- Date
- Thread