[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: changes to default password strength checks in pam_unix

On Monday 03 September 2007 01:07:15 Thijs Kinkhorst wrote:
> On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote:
> > And what's the rationale to change the minimum length to 8?  It won't
> > help security, as people who pick weak passwords now, will still pick
> > weak, but longer, passwords.
> I agree with Bas here: I'm all for removing the Debian deviation from
> upstream, so please go ahead with that, but raising it further is not
> necessarily a useful thing to do. I can easily think of a 6-char password
> that is a lot more difficult to guess than an 8 char one.

Especially when the most common response I've seen to a system saying that a 
password is not long enough is to start adding easily guessable extension 
strings to the password the user already picked, NOT to sit back down and 
think up a better, intrinsicly longer password:


password: apple
Too short, must be 8 characters!
password: apple123

password: dog
Too short, must be 8 characters!
password: dogabcd

So raising the minimum length doesn't necessarily result in better 
passwords -- *especially* not from the kind of user who uses a derivative 
of "apple" or "dog"[1]. 

And maybe it's not "1234" or "abcd", but I'd wager a lot of people have some 
sort of algorithm -- or will quickly make one -- to extend a picked 
password without starting from scratch when e.g. a bunch of unimportant web 
services demand 15 character passwords. =)

Anyway, poor password pickers will still be poor even if you force them to 
long length ones, and good password pickers will still be good even if you 
force them to a shorter length. (Remember that there still quite a few 
systems out there that have a *maximum* password of 8 characters, so you 
have to get creative anyway...)

However, all that said, you have to draw the minimum line somewhere, 8 is a 
subjectively better "arbitrary" default than 6, and it's also good to match 
upstream in this case.

[1] Seriously similar to real passwords I've seen in the wild.

Wesley J. Landaker <wjl@icecavern.net> <xmpp:wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: