Re: RFC: changes to default password strength checks in pam_unix
On Mon, Sep 03, 2007 at 05:45:49PM +0300, Lars Wirzenius wrote:
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
Especially when the most common response I've seen to a system saying
password is not long enough is to start adding easily guessable extension
strings to the password the user already picked, NOT to sit back down and
think up a better, intrinsicly longer password:
That's true. Ideally, we would replace passwords with a better
authentication system, but I'm not sure that's going to be feasible.
IMHO, user-supplied passwords are not appropriate to use over the Internet,
because they _will_ be weak.
On most of my boxes, passwords are useless for anything except local
authentication, and even for that, they aren't used much.
How about a Debian policy that enumerates the specific cases where
passwords are allowed to be used for authentication, and states that
password authentication must be disabled by default for everything else?
If you design the system so that it doesn't trust passwords much to begin
with, you don't have to care about how strong the passwords are.
Dwayne C. Litzenberger <email@example.com>