Steve Langasek <firstname.lastname@example.org> writes: > For years, the Debian pam packages have by default had a weaker password > length requirement than upstream. I can think of no reason for this to be > the case, especially when upstream doesn't support a configurable minimum > password length and Debian does. > > Does anyone else have a reasoned argument why Debian should have a weaker > password length check than upstream (4 chars instead of 6)? If not, this > will be changed in the next upload of pam. I think making it 6 would be a good idea. However, I think 8 as a default may be too long. Having enabled the cracklib stuff in pam_unix while testing the new PAM, I agree that this should remain disabled. Many users (including myself) find the enforcement of all those extra checks annoying, and I agree with other comments that extra checks don't always result in more security due to tacking fixed patterns onto a shorter password. It would be nice to make the pam_unix cracklib stuff configurable in configure, so we don't need to patch the Makefiles, and push that upstream. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Description: PGP signature