Bug#1064617: Passwords should not be changed frequently
Hi,
Am 4. März 2024 06:17:31 MEZ schrieb Philip Hands <phil@hands.com>:
>I found that there were some phrases that I was avoiding for various
>reasons, a couple of which I see you've used, so I'll say why I was avoiding
>them and see if I have a persuasive argument for doing so.
>
>"allow/deny login/access as root":
>
> The problem here is that not having a password for root only prevents
> one from getting direct access to root by using a password. Indirect
> access is still available via sudo, and direct access is still
> available via key bassed ssh. I was also avoiding saying things like
> "disable the root account" for the same reason.
>
> This is why I ended up with the phrasing:
>
> direct password-based logins to 'root'.
Ok, seems fair. I would change to that then.
>
>"using the 'sudo' command":
>
> This I was avoiding becuase it might give the impression that one MUST
> use sudo, whereas most people will actually get their root acces via a
> GUI prompting them for their own pasword (because it's checked that
> they're in the sudo group) when doing things like unlocking their
> network or printer settings. I thought it was worth mentining the
> 'sudo' group explicitly because that gives something to search for if
> they want to find out more, but telling people they need to use the
> sudo command seemed like a step too far.
Correct so far. Maybe a bit more technical and therefore probably
not the easiest choice for newbies, but I have no problem using that.
>Regarding the password advice, I ended up concluding that it's pretty
>unlikely that anything we say at this point will have any effect on
>people's behaviour, but then I'm probably just an old cynic. Also, I
>failed when trying to come up with a wording which I was happy with,
>which is why I ended up discarding the advice entirely.
>
>If we want to keep the password advice in then I think what you wrote is
>(mostly) OK, although I think it implies that one should be choosing a
>single "password" (although, not a word in any normal sense), which
>could be argued to steer people away from the perfectly decent xkcd
>approach of using several dictionary words. Saying "Password or
>Passphrase" at least once would probably address that.
Ok, makes it a bit longer, but it could be worth it.
I will prepare a new patch with above.
Holger
--
Sent from /e/ OS on Fairphone3
Reply to: