[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: changes to default password strength checks in pam_unix



Steve Langasek <vorlon@debian.org> writes:

> For years, the Debian pam packages have by default had a weaker password
> length requirement than upstream.  I can think of no reason for this to be
> the case, especially when upstream doesn't support a configurable minimum
> password length and Debian does.
>
> Does anyone else have a reasoned argument why Debian should have a weaker
> password length check than upstream (4 chars instead of 6)?  If not, this
> will be changed in the next upload of pam.

I think making it 6 would be a good idea.

However, I think 8 as a default may be too long.

Having enabled the cracklib stuff in pam_unix while testing the new
PAM, I agree that this should remain disabled.  Many users (including
myself) find the enforcement of all those extra checks annoying, and I
agree with other comments that extra checks don't always result in
more security due to tacking fixed patterns onto a shorter password.
It would be nice to make the pam_unix cracklib stuff configurable in
configure, so we don't need to patch the Makefiles, and push that
upstream.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: pgpehRPzxm2L7.pgp
Description: PGP signature


Reply to: