[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: changes to default password strength checks in pam_unix

On Mon, Sep 03, 2007 at 05:45:49PM +0300, Lars Wirzenius wrote:
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
Especially when the most common response I've seen to a system saying
that a password is not long enough is to start adding easily guessable extension strings to the password the user already picked, NOT to sit back down and think up a better, intrinsicly longer password:

That's true. Ideally, we would replace passwords with a better
authentication system, but I'm not sure that's going to be feasible.

IMHO, user-supplied passwords are not appropriate to use over the Internet, because they _will_ be weak.

On most of my boxes, passwords are useless for anything except local authentication, and even for that, they aren't used much.

How about a Debian policy that enumerates the specific cases where passwords are allowed to be used for authentication, and states that password authentication must be disabled by default for everything else?

If you design the system so that it doesn't trust passwords much to begin with, you don't have to care about how strong the passwords are.

Dwayne C. Litzenberger <dlitz@dlitz.net>

Reply to: