Re: RFC: changes to default password strength checks in pam_unix

To: debian-devel@lists.debian.org
Cc: debian-curiosa@lists.debian.org
Subject: Re: RFC: changes to default password strength checks in pam_unix
From: "Wesley J. Landaker" <wjl@icecavern.net>
Date: Mon, 3 Sep 2007 08:33:09 -0600
Message-id: <[🔎] 200709030833.14667.wjl@icecavern.net>
Reply-to: debian-curiosa@lists.debian.org
In-reply-to: <49468.82.215.34.9.1188803235.squirrel@wm.kinkhorst.nl>
References: <20070902194736.GA10366@dario.dodds.net> <20070903063759.GA32498@zoetekouw.net> <49468.82.215.34.9.1188803235.squirrel@wm.kinkhorst.nl>

On Monday 03 September 2007 01:07:15 Thijs Kinkhorst wrote:
> On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote:
> > And what's the rationale to change the minimum length to 8?  It won't
> > help security, as people who pick weak passwords now, will still pick
> > weak, but longer, passwords.
>
> I agree with Bas here: I'm all for removing the Debian deviation from
> upstream, so please go ahead with that, but raising it further is not
> necessarily a useful thing to do. I can easily think of a 6-char password
> that is a lot more difficult to guess than an 8 char one.

Especially when the most common response I've seen to a system saying that a 
password is not long enough is to start adding easily guessable extension 
strings to the password the user already picked, NOT to sit back down and 
think up a better, intrinsicly longer password:

e.g.

password: apple
Too short, must be 8 characters!
password: apple123

password: dog
Too short, must be 8 characters!
password: dogabcd

So raising the minimum length doesn't necessarily result in better 
passwords -- *especially* not from the kind of user who uses a derivative 
of "apple" or "dog"[1]. 

And maybe it's not "1234" or "abcd", but I'd wager a lot of people have some 
sort of algorithm -- or will quickly make one -- to extend a picked 
password without starting from scratch when e.g. a bunch of unimportant web 
services demand 15 character passwords. =)

Anyway, poor password pickers will still be poor even if you force them to 
long length ones, and good password pickers will still be good even if you 
force them to a shorter length. (Remember that there still quite a few 
systems out there that have a *maximum* password of 8 characters, so you 
have to get creative anyway...)

However, all that said, you have to draw the minimum line somewhere, 8 is a 
subjectively better "arbitrary" default than 6, and it's also good to match 
upstream in this case.

[1] Seriously similar to real passwords I've seen in the wild.

-- 
Wesley J. Landaker <wjl@icecavern.net> <xmpp:wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: RFC: changes to default password strength checks in pam_unix
  - From: Bernd Zeimetz <bernd@bzed.de>

Prev by Date: Re: your auditing software is going to wind you up in jail
Next by Date: Re: RFC: changes to default password strength checks in pam_unix
Previous by thread: Re: your auditing software is going to wind you up in jail
Next by thread: Re: RFC: changes to default password strength checks in pam_unix
Index(es):
- Date
- Thread