[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: changes to default password strength checks in pam_unix

ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
> Especially when the most common response I've seen to a system saying
> that a 
> password is not long enough is to start adding easily guessable extension 
> strings to the password the user already picked, NOT to sit back down and 
> think up a better, intrinsicly longer password:

That's true. Ideally, we would replace passwords with a better
authentication system, but I'm not sure that's going to be feasible.

If we decide to stick with short passwords (and I'm not opposing that,
Steve's explanation of his strategy made sense to me), we should make
sure that we keep the default install such that network access to the
computer won't be possible. Then, if anyone installs openssh-server or
something, it's their own fault.

(If we wanted to be really evil, we would have openssh-server verify
that a valid password is of high quality before it accepts it.)

I am a werehuman.

Reply to: