[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: changes to default password strength checks in pam_unix

On Sun, Sep 02, 2007 at 05:20:42PM -0700, Steve Langasek wrote:
> On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote:
> > Just curious, what is the rationale for wanting to keep cracklib out of
> > base?
> Size and complexity.  Adding libpam-cracklib to base would be a 2MB increase
> in the size of a minimal Debian system on i386, and add 5 packages to the
> list of what has to be installed before the user can do something as simple
> as set the initial root password.  Also, in terms of modularity, I don't
> think it makes sense for pam_unix to link to cracklib anyway when we have a
> separate pam_cracklib module for that (whether it's in a separate package or
> not).
> I also think that enabling cracklib password checking is probably not a
> reasonable default for single-user systems, because however much we might
> like users to use secure passwords, the hassle of disabling cracklib if the
> user disagrees with us on this point is enough to make this a very
> unpleasant user experience.  Maybe if and when we have better up-front
> documentation of what the password requirements are we could consider this
> as a default, but I don't want users to go through the experience of hitting
> five different password strength rules, one-by-one, in the
> ever-more-frustrating process of trying to set a password.
OK.  Good to know.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: