Re: RFC: changes to default password strength checks in pam_unix

To: debian-devel@lists.debian.org
Subject: Re: RFC: changes to default password strength checks in pam_unix
From: Russ Allbery <rra@debian.org>
Date: Tue, 04 Sep 2007 09:07:03 -0700
Message-id: <[🔎] 87lkbm1kk8.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 87642qsn4a.fsf@hardknott.home> (Roger Leigh's message of "Tue, 04 Sep 2007 12:09:41 +0100")
References: <[🔎] 20070902194736.GA10366@dario.dodds.net> <[🔎] 87642qsn4a.fsf@hardknott.home>

Roger Leigh <rleigh@whinlatter.ukfsn.org> writes:

> Having enabled the cracklib stuff in pam_unix while testing the new
> PAM, I agree that this should remain disabled.  Many users (including
> myself) find the enforcement of all those extra checks annoying, and I
> agree with other comments that extra checks don't always result in
> more security due to tacking fixed patterns onto a shorter password.

I think you'll find that if the patterns that you use aren't ones that
cracklib knows, it *does* make the password more secure.  Why?  Because
guess how attackers try to crack passwords?  It's not like most of them
write their own password cracking software.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- RFC: changes to default password strength checks in pam_unix
  - From: Steve Langasek <vorlon@debian.org>
- Re: RFC: changes to default password strength checks in pam_unix
  - From: Roger Leigh <rleigh@whinlatter.ukfsn.org>

Prev by Date: Re: debdelta, Re: proposed release goal: DEBIAN/md5sums for all packages
Next by Date: Re: RFC: changes to default password strength checks in pam_unix
Previous by thread: Re: RFC: changes to default password strength checks in pam_unix
Next by thread: Bug#440565: ITP: cereal -- automated, logged serial terminal management system
Index(es):
- Date
- Thread