[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1064617: Passwords should not be changed frequently



Package: debian-installer

I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image.  I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently.  This is no longer current good advice
(since 2017):

 "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
 (e.g., periodically).  However, verifiers SHALL force a change if there
 is evidence of compromise of the authenticator."

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

I happen to like their suggestion of providing a password-strength meter,
but that would be a separate bug.  This bug is simply a request to remove
this outdated suggestion text from d-i.


Reply to: