Re: RFC: changes to default password strength checks in pam_unix
Roger Leigh <firstname.lastname@example.org> writes:
> Having enabled the cracklib stuff in pam_unix while testing the new
> PAM, I agree that this should remain disabled. Many users (including
> myself) find the enforcement of all those extra checks annoying, and I
> agree with other comments that extra checks don't always result in
> more security due to tacking fixed patterns onto a shorter password.
I think you'll find that if the patterns that you use aren't ones that
cracklib knows, it *does* make the password more secure. Why? Because
guess how attackers try to crack passwords? It's not like most of them
write their own password cracking software.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>