On Monday 03 September 2007 01:07:15 Thijs Kinkhorst wrote: > On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote: > > And what's the rationale to change the minimum length to 8? It won't > > help security, as people who pick weak passwords now, will still pick > > weak, but longer, passwords. > > I agree with Bas here: I'm all for removing the Debian deviation from > upstream, so please go ahead with that, but raising it further is not > necessarily a useful thing to do. I can easily think of a 6-char password > that is a lot more difficult to guess than an 8 char one. Especially when the most common response I've seen to a system saying that a password is not long enough is to start adding easily guessable extension strings to the password the user already picked, NOT to sit back down and think up a better, intrinsicly longer password: e.g. password: apple Too short, must be 8 characters! password: apple123 password: dog Too short, must be 8 characters! password: dogabcd So raising the minimum length doesn't necessarily result in better passwords -- *especially* not from the kind of user who uses a derivative of "apple" or "dog". And maybe it's not "1234" or "abcd", but I'd wager a lot of people have some sort of algorithm -- or will quickly make one -- to extend a picked password without starting from scratch when e.g. a bunch of unimportant web services demand 15 character passwords. =) Anyway, poor password pickers will still be poor even if you force them to long length ones, and good password pickers will still be good even if you force them to a shorter length. (Remember that there still quite a few systems out there that have a *maximum* password of 8 characters, so you have to get creative anyway...) However, all that said, you have to draw the minimum line somewhere, 8 is a subjectively better "arbitrary" default than 6, and it's also good to match upstream in this case.  Seriously similar to real passwords I've seen in the wild. -- Wesley J. Landaker <email@example.com> <xmpp:firstname.lastname@example.org> OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2
Description: This is a digitally signed message part.