Re: RFC: changes to default password strength checks in pam_unix
On Sun, Sep 02, 2007 at 10:29:31PM -0400, Daniel Jacobowitz wrote:
> On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
> > On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
> > > su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> > > > Does anyone else have a reasoned argument why Debian should have a weaker
> > > > password length check than upstream (4 chars instead of 6)? If not, this
> > > > will be changed in the next upload of pam.
> > > What's the justification of not using a minimum password length of 8?
> > Given modern processor power availability, I can't think of one;
> How about modern brain availability? You'll just get a lot of annoyed
> people changing it back; for example, makepasswd still uses a minimum
> length of six.
Arguably if the consensus is that the default minimum password length should
be raised in the users' best interests, we would want to change the
makepasswd package's default at the same time.
But I'm in no hurry to drive such a change from the PAM side. I know that
even with support from packages like makepasswd this is a change that would
annoy users, so I'm not keen to bump the minimum any higher without fairly
broad support among developers.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.