Re: RFC: changes to default password strength checks in pam_unix
On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
> su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> > Does anyone else have a reasoned argument why Debian should have a weaker
> > password length check than upstream (4 chars instead of 6)? If not, this
> > will be changed in the next upload of pam.
> What's the justification of not using a minimum password length of 8?
Given modern processor power availability, I can't think of one; but I would
prefer to deal with this in two parts, first establishing whether we have a
good reason to use a /lower/ default than upstream, and then discussing with
upstream whether that default should be raised.
The upstream default of 6 has been around for at least 5 years, possibly as
long as a decade; and the code in question is inactive when pam_unix is
linked to cracklib, which I think most distributors other than Debian are
doing (we confine the use of libcracklib to the separate pam_cracklib
module, to keep cracklib out of base); so there probably isn't any modern
justification for this default at all.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.