[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: changes to default password strength checks in pam_unix

On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
> su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> > Does anyone else have a reasoned argument why Debian should have a weaker
> > password length check than upstream (4 chars instead of 6)?  If not, this
> > will be changed in the next upload of pam.

> What's the justification of not using a minimum password length of 8?

Given modern processor power availability, I can't think of one; but I would
prefer to deal with this in two parts, first establishing whether we have a
good reason to use a /lower/ default than upstream, and then discussing with
upstream whether that default should be raised.

The upstream default of 6 has been around for at least 5 years, possibly as
long as a decade; and the code in question is inactive when pam_unix is
linked to cracklib, which I think most distributors other than Debian are
doing (we confine the use of libcracklib to the separate pam_cracklib
module, to keep cracklib out of base); so there probably isn't any modern
justification for this default at all.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: